User rigths for WMI access

[tango]

Hi,

I would like to know what are the minimum user rigths to perform a
remote WMI query in a Windows domain (in Windows 2000 and Windows XP).
I have been looking for a document listing the rights but I've found any
good answer. When I use an administrator profile WMI works but when
using a lower profile the query sometimes works but sometimes I get an
"Access denied" error message. We have already configured the
appropiate user permissions on wmimgmt.msc but we continue with the same
error.

So, what are the minimum rigths to configure for the network User?
Where should I define these settings (using Active Directory or the
"Local Security settings" in secpol.msc)? Does exist some Windows
official document explaining what is needed exactly?

Thanks in advance,

Jordi

 

[Scott McNairy \(MVP\)]

See this link, however to help further a WMI class name would be helpful and
any relevant source code you can provide as well. Often times these issues
are client permissions related, so even if a client has access to a
namespace additional permissions may be required, having the class name that
the user is having trouble with will help us narrow it down.

http://www.microsoft.com/technet/scriptcenter/resources/wmifaq.mspx#EFAA

Thanks

 

[tango]

See this link, however to help further a WMI class name would be helpful and
any relevant source code you can provide as well. Often times these issues
are client permissions related, so even if a client has access to a
namespace additional permissions may be required, having the class name that
the user is having trouble with will help us narrow it down.

http://www.microsoft.com/technet/scriptcenter/resources/wmifaq.mspx#EFAA

Thanks

Thank you for your answer, we have checked the link you gave us in your
response, and we are now sure we have already correctly configured
namespace permissions.

Our application performs querys to operating system classes (such as
win32_process, win32_service, win32_operatingsystem,
win32_computersystem, and some more) and performance classes (such as
win32_perfrawdata_perfos_processor, win32_perfrawdata_perfos_memory,
win32_perfrawdata_perfproc_process), all in root/cimv2 namespace.

We know a "local administrator" user can perform these queries, but we
don't like to use administator due to security risks. We have searched
in internet and we have not found any information that permits us to
create a harmless user with enough permissions to perform these queries.

Anytime we have detected an "Access denied" error with our application
we have tried the same WMI query using wbemtest.exe and both
applications have the same behabiour (access denied), so we understand
there is not a problem with our application but a problem with user rights.

Thanks

 

[tango]

See this link, however to help further a WMI class name would be helpful and
any relevant source code you can provide as well. Often times these issues
are client permissions related, so even if a client has access to a
namespace additional permissions may be required, having the class name that
the user is having trouble with will help us narrow it down.

http://www.microsoft.com/technet/scriptcenter/resources/wmifaq.mspx#EFAA

Thanks

Thank you for your answer, we have checked the link you gave us in your
response, and we are now sure we have already correctly configured
namespace permissions.

Our application performs querys to operating system classes (such as
win32_process, win32_service, win32_operatingsystem,
win32_computersystem, and some more) and performance classes (such as
win32_perfrawdata_perfos_processor, win32_perfrawdata_perfos_memory,
win32_perfrawdata_perfproc_process), all in root/cimv2 namespace.

We know a "local administrator" user can perform these queries, but we
don't like to use administator due to security risks. We have searched
in internet and we have not found any information that permits us to
create a harmless user with enough permissions to perform these queries.

Anytime we have detected an "Access denied" error with our application
we have tried the same WMI query using wbemtest.exe and both
applications have the same behabiour (access denied), so we understand
there is not a problem with our application but a problem with user rights.

Thanks

 

[Scott McNairy \(MVP\)]

Your user account should only require "Remote Enable" and "Enable Account"
security settings on the namespace to be able to read data, you can verify
these settings in winmgmt.msc.

Can you post the section of code where you do the connection to the
root\cimv2 namespace? Sometimes a common error that causes this problem is
specifying the user name without the domain\user format or the computer\user
format, sometimes users just specify the "user" and this error can result.

 

[tango]

Your user account should only require "Remote Enable" and "Enable Account"
security settings on the namespace to be able to read data, you can verify
these settings in winmgmt.msc.

Can you post the section of code where you do the connection to the
root\cimv2 namespace? Sometimes a common error that causes this problem is
specifying the user name without the domain\user format or the computer\user
format, sometimes users just specify the "user" and this error can result.

Hi,

We had already configured root\cimv2 namespace with "remote enable",
"enable account". This configuration is enough in some systems to
retrieve all the information we are interested on. But we have problems
in on Windows 2003 system retrieving performance information, but
queries to win32_process, win32_service and win32_operatingsystem work
properly.

In one of our customers headquarters, we have detected the oposite
problem: performance classes work correctly while win32_logicaldisk,
win32_process and win32_service don't work.

We have tried wbemtest and in all cases we get the same results (when
the WMI query works/fails the behaviour is the same with our application
and with wbemtest). The error code we get is always the same: 80041003
(access denied). We always use a non administrative domain user.
Everything start working correctly when we change to any user in domain
admin group. Is there any security policy that can be responsible of
this behaviour?

Perhaps this text found in Framework.log while performing a query that
returns the "access denied" code explains what is happening but we
haven't found anything usefull in Internet about it...

Shell Name Explorer.exe in Registry not found in process list.
04/19/2005 16:13:06.044 thread:3156
[d:\srv03rtm\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.156]
Unable to locate Shell Process, Impersonation failed. 04/19/2005
16:13:06.044 thread:3156
[d:\srv03rtm\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.168]

Thank you

 

[Scott McNairy \(MVP\)]

Can I ask you what specifically you are doing with the Win32_Process,
Win32_LogicalDisk, and Win32_Service classes when this error occurs? Client
side code samples would be nice, or at least some information about what
specifically you are doing with the classes. Puts, or delete operations
etc. Or just read operations.

As for the perf problem, try to do a "winmgmt.exe /resyncperf" on the
command line of the troubling machine and see if that helps fix the problem.

--
Scott McNairy
Microsoft MVP - Windows Server Management Infrastructure

Your user account should only require "Remote Enable" and "Enable
Account" security settings on the namespace to be able to read data, you
can verify these settings in winmgmt.msc.

Can you post the section of code where you do the connection to the
root\cimv2 namespace? Sometimes a common error that causes this problem
is specifying the user name without the domain\user format or the
computer\user format, sometimes users just specify the "user" and this
error can result.

Hi,

We had already configured root\cimv2 namespace with "remote enable",
"enable account". This configuration is enough in some systems to retrieve
all the information we are interested on. But we have problems in on
Windows 2003 system retrieving performance information, but queries to
win32_process, win32_service and win32_operatingsystem work properly.

In one of our customers headquarters, we have detected the oposite
problem: performance classes work correctly while win32_logicaldisk,
win32_process and win32_service don't work.

We have tried wbemtest and in all cases we get the same results (when the
WMI query works/fails the behaviour is the same with our application and
with wbemtest). The error code we get is always the same: 80041003 (access
denied). We always use a non administrative domain user. Everything start
working correctly when we change to any user in domain admin group. Is
there any security policy that can be responsible of this behaviour?

Perhaps this text found in Framework.log while performing a query that
returns the "access denied" code explains what is happening but we haven't
found anything usefull in Internet about it...

Shell Name Explorer.exe in Registry not found in process list. 04/19/2005
16:13:06.044 thread:3156
[d:\srv03rtm\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.156]
Unable to locate Shell Process, Impersonation failed. 04/19/2005
16:13:06.044 thread:3156
[d:\srv03rtm\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.168]

Thank you

 

[tango]

Hi,

Sorry for not responding in such a long time, we have been working hard ...
It seems that we have fixed the problem. What was confusing to us was
the different behaviour of the same configuration on different systems.

The privileges you told us to activate (remote enable and enable
account) works in our PCs only on Windows 2000, Windows XP SP1 and
Windows 2003 without any service pack installed. In later versions (XP
SP2 and 2003 SP1) every time we tried to connect using a non
administrative user profile the query failed with access denied
(0x80070005) error.

This error code points that the user can not use the provider on remote
system (this error belongs to DCOM). By using dcomcnfg.exe we have been
able to give the user access and launch rights by default to any DCOM
application (these privileges can be given only to Windows Management
Instrumentation to reduce security risks).

Thanks for your help

 

[spuri]

I have the same problem on win2k sp4 I need to use Win32_LogicalDisk with a non-administrator user
I have already set (in WMI control) full rights for everyone (and for root and cimv2 also)
and I have just tried to give access and launch rights for power users,
but Win32_LogicalDisk still does not work
I need this to check drives only on local computer.

Could yyou please help?
thanks
spuri