Skip to content

Setting up WMI/WinRM Without Local Admin

vScope can use the WMI protocol to inventory Windows OS machines, including Hyper-V machines and the VMM. By following these steps, WMI and WinRM access will be configured for a non-administrator domain user, allowing vScope to inventory the machine remotely.

  • Create a user called, e.g., “svc_vscope” in Active Directory.

Add User to Local Group Distributed COM Users

Section titled “Add User to Local Group Distributed COM Users”
  • Open lusrmgr.msc.
  • Go to Groups.
  • Open “Distributed COM Users” and add the user “svc_vscope.”
  • Click apply.

This step grants necessary local access permissions.

  • Run wmimgmt.msc in Command Prompt.
  • Right-click “WMI Control” and select Properties.
  • Go to the Security tab, select “Root” in the tree, and click Security.
  • Click Advanced and Add the user “svc_vscope.”
  • Set Applies to: “This namespace and subnamespaces” and check Execute Methods, Enable Account, Remote Enable, and Read Security.

This configures WMI permissions for the user.

  • Open dcomcnfg.
  • Expand Component Services > Computers > My Computer, right-click and select Properties.
  • Under COM Security, edit Access Permissions and Launch and Activation Permissions.
  • Add “svc_vscope” with full permissions for both.

This enables necessary DCOM permissions for the user.

  • In Command Prompt, enter:
winrm configSDDL default
  • Add “svc_vscope” to the permissions list, allowing Read(Get, Enumerate, Subscribe) and Execute(Invoke) actions.

The domain user now has remote WMI/WinRM access to the target machine.

Optional Configurations for Additional Access

Section titled “Optional Configurations for Additional Access”

If WMI does not work after the previous setup, try the following configurations:

Run the following command in Command Prompt:

netsh advfirewall firewall set rule group="windows management instrumentation (wmi)" new enable=yes

Disable User Account Control (UAC) for Remote Access

Section titled “Disable User Account Control (UAC) for Remote Access”
  1. Open regedit.
  2. Set the following registry key from 0 to 1:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy
  • 0 = Remote UAC access token filtering is enabled.
  • 1 = Remote UAC is disabled.

Reference: Microsoft documentation on User Account Control and Remote Restriction

Enable RPC Permissions on a Single Target Machine

Section titled “Enable RPC Permissions on a Single Target Machine”
  1. Open Microsoft Management Console (mmc) on the target machine.
  2. Add the “Group Policy Object Editor” snap-in.
  3. Navigate to Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall > Domain Profile (or Standard Profile for a Workgroup network).
  4. Edit Windows Firewall: Allow Remote Administration Exception.
  5. Set to Enabled and allow unsolicited incoming messages from “localsubnet” (no quotes).
  6. Apply settings and run gpupdate /force if immediate application is required.