Ricerche recenti

    Articoli popolari

      Articoli
      Vedi tutte
        Argomenti
        Vedi tutte
          Ticket
          Vedi tutte
            nessun risultato

            Spiacente, non ci sono risultati per

            Using WMI without having full ‘administrator’ permissions

            Modificato il Tue, 07 May 2019 alle 11:50 AM

            Create a "domain user"/"local user" for PRTG, es. prtguser


            FOR SINGLE COMPUTER


            Step 1:

            On target computer, put your “prtguser” user in these local groups:
            – Distributed COM users
            – Performance Monitoring users

            • note: If you do this, you shouldn’t need to use DCOMcnfg to set permissions.

            Step 2:

            • If the computers are on a windows domain, put your “prtguser” user in the domain groups called ‘Distributed COM users’, and ‘Performance Monitoring Users’.
            • On the collector computer, put your ‘prtguser’ user in the local Administrators group (so the service can install and run properly).

            Step 3:

            • On target computer, start ‘Computer Management’  by either running WMImgmt.msc or ‘Control Panel > Administrative Tools > Computer Management’
            • Right click on “WMI control” and click “Properties”
            • Click the “Security” tab
            • Click on “Root” then click the “Security” button
            • Add “prtguser” user to the list (or the group “Performance Monitoring users”)
            • Click the permissions checkboxes to allow “Execute methods”, and “Enable account” and “Remote enable”. Click ‘advanced’, then click the user, then click ‘edit’ and set to ‘this namespace and all subs’. Click OK all the way out.


            With GPO


            1 – Create the Group Policy Object

            Open the Group Policy Management:

            • Create a new GPO and name it WMI Access
            • Link it to domain.local domain (drag and drop the it on domain.local) or to the specific organization unit.
            • Make sure that the GPO will be applied to all machines in the domain to be scanned (WMI adjust Security Filtering, etc.)

            2 – Settings GPO

            DCOM

            • Right-click WMI Access (which is the GPO we just created), select Edit
            • Go to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options
            • Select Properties at: DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax
            • Check the Define this policy setting
            • Select Edit Security …
            • Click Add …
            • Under Enter the object names to select: Enter prtguser and click Check Names. The user is now filled in automatically
            • Click OK
            • Select prtguser (prtguser@domain.local)
            • Under Permissions: Tick Allow on both Local Access and Remote Access
            • Click OK
            • Click OK
            • Select Properties under: DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax
            • Check Define this policy setting
            • Select Edit Security …
            • Click Add …
            • Under Enter the object names to select: Enter prtguser and click Check Names. The user is now filled in automatically
            • Click OK
            • Select prtguser (prtguser@domain.local)
            • Under Permissions: Tick Allow at Local Launch, Remote Launch, Local Activation and Remote Activation
            • Click OK
            • Click OK

            Firewall

            • Right-click WMI Access (the GPO we just created), select Edit
            • Go to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Windows Firewall with Advanced Security
            • In the right pane, expand Windows Firewall with Advanced Security until Inbound Rules visible. Right-click on it
            • Choose New Rule …
            • Select Predefined and Windows Management Instrumentation (WMI) in the list
            • Click Next
            • Tick all the Windows Management Instrumentation-rules in the list (usually 3 pieces)
            • Click Next
            • Select Allow The Connection
            • Click Finish

            3 – Rights for WMI namespace

            These settings can not be done with a regular GPO. For a user who is not Admin this step is critical and must be done exactly as instructed below. If not properly done, login attempts via WMI results in Access Denied.

            • Write wmimgmt.msc in command prompt
            • Right-click WMI Control, and select Properties
            • Select the Security tab
            • Select Root of the tree and click on Security
            • Click Add …
            • Under Enter the object names to select: Enter prtguser and click Check Names. The user is now filled in automatically
            • Click OK
            • Select prtguser (prtguser@domain.local)
            • Select Allow for Execute Methods, Enable Account, Remote Enable and Read Security under Permissions for wmiuser
            • Mark prtguser and click Advanced
            • Under the Permission tab: Select prtguser 
            • Click Edit
            • Under Applies To-list: Choose This namespace and all subnamespaces. It is very important that the rights are applied recursively down the entire tree!
            • Click OK
            • Click OK
            • Click OK
            • Click OK

            Questo articolo ti è stato utile?

            Fantastico!

            Grazie per il tuo feedback

            Siamo spiacenti di non poterti essere di aiuto

            Grazie per il tuo feedback

            Facci sapere come possiamo migliorare questo articolo!

            Seleziona almeno uno dei motivi
            La verifica CAPTCHA è richiesta.

            Feedback inviato

            Apprezziamo il tuo sforzo e cercheremo di correggere l’articolo

            Anteprima
            0 su 0