Re: WMI Query Permissions

Tech-Archive recommends: Fix windows errors by optimizing your registry

---

• From: Bradley Plett <plettb@xxxxxxxxxxxxxxxx>
• Date: Tue, 09 Oct 2007 17:54:12 -0600

---

This has not gotten me any closer to being able to give a standard
user access to the WMI objects. :-(

Brad.

On Fri, 05 Oct 2007 06:51:53 GMT, jetan@xxxxxxxxxxxxxxxxxxxx ("Jeffrey
Tan[MSFT]") wrote:

Hi Brad,

I have provided a reply to you in 2007/10/3. I am not sure why this message
did not show up in your news reader.

Anyway, I paste my original reply below for your information:

"Yes, you can, but you must change the permissions at different level to
grant this user (or group which contains this user, which is a much better
approach). Below is a complete list of settings in different levels(from my
colleague's slide in TechED 2007 and TechReady 2007):

1. Firewall security (for traffic to go through. To be done in any case)
2. DCOM security (For a plain user to instantiate DCOM object remotely)
3. WMI namespace security (for WMI to accept the connection on the
namespace when you are a user)
4. Manageable entity security (IIS in your case, for allowing the user to
manipulate the resource if needed).

1. Windows Firewall settings with NETSH (or WF.MSC)
Activate the WMI firewall rules (Vista):
NETSH.EXE ADVFIREWALL FIREWALL SET RULE GROUP=¡°<GROUPRULE>" NEW ENABLE=YES
NETSH.EXE ADVFIREWALL FIREWALL SET RULE NAME=¡°<RULENAME>" NEW ENABLE=YES

1 Group rule for WMI: Windows Management Instrumentation (WMI)
4 individual rules for MWI (DCOM-In, WMI-In, WMI-Out, Async-In)
RULE 1: Windows Management Instrumentation (DCOM-In)
RULE 2: Windows Management Instrumentation (WMI-In)
RULE 3: Windows Management Instrumentation (WMI-Out)
RULE 4: Windows Management Instrumentation (ASync-In)

Execute rule 1 and 2 for incoming WMI traffic.

If downlevel (XP SP2, 2003 SP1), allow RPC traffic to go through.

2. DCOM Security with DCOMCNFG.EXE
¡°My Computer¡± (Edit Limits -> Launch and Activate)
Remote Access is granted to Administrators ONLY!
Local Access is granted to Everyone

¡°Windows Management and Instrumentation¡±
Local and Remote Access is granted to Everyone
Blocked by the Edit Limits of ¡°My Computer¡±

3. WMI Security with WMIMGMT.MSC
Per WMI namespace:
Remote Access is granted to Administrators ONLY!
Local Access is granted to Authenticated Users (Everyone before Vista)"

If there is anything unclear, please feel free to tell me, thanks.

Best regards,
Jeffrey Tan
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

.

---

• Follow-Ups:
  • Re: WMI Query Permissions
    • From: "WenJun Zhang[msft]"
  • Re: WMI Query Permissions
    • From: "Jeffrey Tan[MSFT]"
  • Re: WMI Query Permissions
    • From: "Jeffrey Tan[MSFT]"

• References:
  • WMI Query Permissions
    • From: Bradley Plett
  • RE: WMI Query Permissions
    • From: "Jeffrey Tan[MSFT]"
  • Re: WMI Query Permissions
    • From: Bradley Plett
  • Re: WMI Query Permissions
    • From: "Jeffrey Tan[MSFT]"

• Prev by Date: Re: Invoking BringOnline on MSCluster_Resource remotely - Generic
• Next by Date: Re: Querying remotely Win32_DiskDrive of 2000/2003 with non-admin user
• Previous by thread: Re: WMI Query Permissions
• Next by thread: Re: WMI Query Permissions
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Cant open help and support ... and just a note- whatever it was that I was trying to fix ... Windows Management Instrumentation (WMI) does not show up in services. ... be supprised if help and support direct me to go to the nearest mental health ... (microsoft.public.windowsxp.help_and_support) Re: Cant open help and support ... Windows Management Instrumentation (WMI) does not show up in services. ... I will now try Repairing and re-registering the WMI, ... (microsoft.public.windowsxp.help_and_support) Re: Unable to connect to WMI service ... Windows Management Instrumentation (WMI) might be corrupted. ... [Windows Management Instrumentation - WinMgmt could not initialize the core ... providers are out of process from the actual WMI service. ... (microsoft.public.windowsxp.security_admin) Re: System Information help ... [[You may receive any of the following error messages in Windows XP: ... Windows Management Instrumentation (WMI) might be corrupted. ... >>> I cannot access the System Information on my XP Home, ... (microsoft.public.windowsxp.newusers) Re: WMI Query Permissions ... Firewall security (for traffic to go through. ... WMI namespace security (for WMI to accept the connection on the ... Windows Management Instrumentation (WMI) ... Microsoft Online Community Support ... (microsoft.public.win32.programmer.wmi)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Development  > microsoft.public.win32.programmer.wmi  > 2007-10