Setting up WMI-Access with GPO in AD

vScope can use the WMI/WinRM protocol to inventory Windows assets.

With WMI, vScope can use a normal user account. What’s important is that vScope is allowed to have read access and remote scripting, and that the WMI calls are allowed by firewall. Here is how to set up a domain user account with minimum read access.

To do this you need to make a few settings on the machines to be scanned. Several of these can be done with Group Policy Objects (GPO) in Active Directory (AD), but the most important of them all (Rights for WMI namespace below) must be done manually or with a startup-script on each target machine, otherwise the credential will not be able to use WMI.

Tip

Are you a vScope user? Please contact us directly to retrieve scripts to automate the steps in this post.

Follow the examples below:

In our case, we run Active Directory on Windows 2008 R2, and we want to scan a target machine which is Windows 2012 R2. Our domain is called “ISL,” and we name our dedicated WMI user account “wmiuser.”

Note

The fastest option for WMI discovery in vScope is to use a domain admin account. This account is protected with strong encryption and is never used for any write operations. Using a domain-admin account minimizes the workload and guarantees the best results with minimal effort.

Settings from Active Directory

1. Create a User Account

   • Open the Active Directory Administrative Center:
     • Go to ISL > Users
     • Right-click and select New > User
     • Create a new user account (normal user) and specify their User Principle Name (UPN) login as “wmiuser@ISL.local”.
     • Ensure “Member of” is set to “Domain Users”.

2. Create the Group Policy Object (GPO)

   • Open Group Policy Management:
     • Create a new GPO named WMI Access.
     • Link it to ISL.local domain.
     • Ensure the GPO applies to all machines in the domain to be scanned.

3. Configure DCOM Settings in GPO

   • Right-click WMI Access (GPO), select Edit:
     • Go to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options.
     • Under DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax:
       • Check Define this policy setting.
       • Click Edit Security…, then Add… and enter ISLwmiuser.
       • Check Allow for Local Access and Remote Access.
     • Repeat for DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax:
       • Check Define this policy setting.
       • Click Edit Security…, add ISLwmiuser.
       • Check Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.

4. Firewall Settings

   • Right-click WMI Access (GPO), select Edit:
     • Go to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Windows Firewall with Advanced Security.
     • Expand Inbound Rules, right-click and select New Rule….
     • Choose Predefined and Windows Management Instrumentation (WMI).
     • Tick all Windows Management Instrumentation rules.
     • Select Allow The Connection.

Rights for WMI Namespace

This step requires manual configuration on each target machine. For a non-admin user, it’s very important to configure permissions for the WMI namespace correctly to avoid access denial.

1. Configure WMI Namespace Rights
   • Run wmimgmt.msc.
   • Right-click WMI Control, select Properties.
   • On the Security tab, select Root and click Security.
   • Click Add… and enter ISLwmiuser.
   • Allow Execute Methods, Enable Account, Remote Enable, and Read Security permissions for wmiuser.
   • Under Applies To, select This namespace and all subnamespaces.

Verify Settings on Each Machine

On machines to be scanned by vScope, ensure the GPO is applied.

1. Force GPO Update

   • In a command prompt, type:

     gpupdate /force

   • Verify by entering:

     gpresult /r

   • Confirm WMI Access is listed under Applied Group Policy Objects.

2. Test Discovery with vScope

   • Use ISL\wmiuser as the username with the correct password and verify the discovery result.

Additional Information

If information is missing, disable UAC filtering on target machines by setting a registry key:

• Open regedit and edit the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\LocalAccountTokenFilterPolicy

• Set to 1 to disable Remote UAC access filtering.
• 0 enables Remote UAC access token filtering.

By following these steps, you can set up WMI access with minimal permissions.