Skip to content
vScope Support Page

Setting Up WMI on Target Machines Without Administrator Access

vScope can inventory Windows OS machines, including Hyper-V and VMM, using the WMI protocol. Although using a local administrator account is the simplest way to set up WMI, this guide will walk you through setting up WMI access for an Active Directory (AD) group, allowing non-administrator users to connect.

Configure WMI Access for AD Group

This guide provides steps to grant WMI access to an AD group, which can include any domain or local users.

Create an Active Directory Group

  1. Create AD Group
    • Open Active Directory and create a group called, for example, “WMI Access Users.”

Add the AD Group to the Distributed COM Users Group

  1. Open lusrmgr.msc.

  2. Go to Groups.

  3. Open Distributed COM Users and add the “WMI Access Users” group.

    Distributed Com Groups for WinRM

Configure WMI Permissions

  1. Open wmimgmt.msc in the command prompt.

  2. Right-click on WMI Control and select Properties.

    WMI Control Properties for settings up WMI on target machine

  3. Go to the Security tab, select Root in the tree, and click Security.

  4. Click Advanced and then Add.

  5. Select a Principal and enter the group name, e.g., “WMI Access Users.”

  6. Set Applies to to This namespace and subnamespaces and grant permissions for Execute Methods, Enable Account, Remote Enable, and Read Security.

  7. Click Apply and OK to save settings.

    Screenshot for configuring WMI namespace

Configure DCOM Permissions

  1. Open dcomcnfg.

  2. Expand Component Services > Computers, right-click My Computer, and select Properties.

    Finding properties in Component Services for setting up WMI on target machine

  3. Go to the COM Security tab.

  4. Under Access Permissions and Launch and Activation Permissions, click Edit Default… and add the “WMI Access Users” group, allowing all permissions.

    Computer Properties finding default security groups

  5. Click Apply and OK in all windows to save settings.

Additional Configuration for WMI Access

If the above steps do not enable WMI, check the following configurations:

Open Firewall for WMI Traffic

Run the following command in the command prompt:

Terminal window
netsh advfirewall firewall set rule group="windows management instrumentation (wmi)" new enable=yes

Disable User Account Control (UAC) for Remote Access

Disabling UAC for remote access can help vScope access certain information on the target machine more effectively. However, please note that this setting affects security, as it changes how Windows manages access tokens for remote connections.

  1. Open the Registry Editor (regedit).

  2. Navigate to the following key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

  3. Locate the LocalAccountTokenFilterPolicy key. If it does not exist, you will need to create it:

  • Right-click on System in the left pane.
  • Select New > DWORD (32-bit) Value.
  • Name the new value LocalAccountTokenFilterPolicy.
  1. Double-click LocalAccountTokenFilterPolicy and set its value to 1:
  • 0 = Enables Remote UAC filtering (default).
  • 1 = Disables Remote UAC filtering.
  1. Close the Registry Editor.

By setting this key to 1, you disable the UAC token filtering for remote connections, allowing vScope to retrieve information from target machines more freely. Keep in mind, however, that disabling UAC for remote access can lower the security of the target machine, so it should be used cautiously and monitored.

For more details, refer to Microsoft’s documentation on User Account Control and Remote Restrictions.