• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Trying to understand Remote WMI permissions

J

Janssen

#1
Hello. I've been tasked with querying, starting, and stopping services on a
remote machine using a machine-specific local account on the remote machine.
I've decided than an easy way to do this would be to use Powershell:

$cred = get-cred (to be stored later on in an encrypted text file)
gwmi win32_service -cred $cred -comp computer | ? {$_.Name -like "Myservice"}

However, I'm having trouble figuring out what permissions are needed to make
a remote WMI call in Powershell. When I add the said account to the
computer's administrator group, it works. But when the account is in the
user group, the gwmi call fails with access denied. I don't want to make
that account an admin account. I only want it to be able to start, stop, and
query services, which I've delegated through a GPO.

I've tried opening the WMI Control in Computer Management, and as a test,
granted the account write/execute/remote enable/etc. at the root level, and
propagated the changes down, but that doesn't work, so I'm thinking there
must be some other permission required in order for gwmi to work remotely for
a non-admin account. Any ideas as to what I'm missing? I know the question
isn't SPECIFICALLY a Powershell question, but I'm not sure where else I'd
post the question.

Thanks in advance,

Janssen Jones
 

My Computer

M

Marco Shaw

#2
Janssen wrote:

> Hello. I've been tasked with querying, starting, and stopping services on a
> remote machine using a machine-specific local account on the remote machine.
> I've decided than an easy way to do this would be to use Powershell:
>
> $cred = get-cred (to be stored later on in an encrypted text file)
> gwmi win32_service -cred $cred -comp computer | ? {$_.Name -like "Myservice"}
>
> However, I'm having trouble figuring out what permissions are needed to make
> a remote WMI call in Powershell. When I add the said account to the
> computer's administrator group, it works. But when the account is in the
> user group, the gwmi call fails with access denied. I don't want to make
> that account an admin account. I only want it to be able to start, stop, and
> query services, which I've delegated through a GPO.
>
> I've tried opening the WMI Control in Computer Management, and as a test,
> granted the account write/execute/remote enable/etc. at the root level, and
> propagated the changes down, but that doesn't work, so I'm thinking there
> must be some other permission required in order for gwmi to work remotely for
> a non-admin account. Any ideas as to what I'm missing? I know the question
> isn't SPECIFICALLY a Powershell question, but I'm not sure where else I'd
> post the question.
>
> Thanks in advance,
>
> Janssen Jones
Just in case... Read this since you're asking about WMI and credentials:
http://www.scriptinganswers.com/forum2/forum_posts.asp?TID=1041

Marco

--
----------------
PowerGadgets MVP
http://www.powergadgets.com/mvp

Blog:
http://marcoshaw.blogspot.com
 

My Computer