Setting up WMI/WinRM Without Local Admin

vScope can use the WMI protocol to inventory Windows OS machines, including Hyper-V machines and the VMM. By following these steps, WMI and WinRM access will be configured for a non-administrator domain user, allowing vScope to inventory the machine remotely.

Note

This guide provides WMI access to a domain user. The steps can also be applied to a domain group, allowing multiple users access by adding them to that group.

Create User in Active Directory

• Create a user called, e.g., “svc_vscope” in Active Directory.

Add User to Local Group Distributed COM Users

• Open lusrmgr.msc.
• Go to Groups.
• Open “Distributed COM Users” and add the user “svc_vscope.”
• Click apply.

This step grants necessary local access permissions.

Set WMI Permissions

• Run wmimgmt.msc in Command Prompt.
• Right-click “WMI Control” and select Properties.
• Go to the Security tab, select “Root” in the tree, and click Security.
• Click Advanced and Add the user “svc_vscope.”
• Set Applies to: “This namespace and subnamespaces” and check Execute Methods, Enable Account, Remote Enable, and Read Security.

This configures WMI permissions for the user.

Configure DCOM Permissions

• Open dcomcnfg.
• Expand Component Services > Computers > My Computer, right-click and select Properties.
• Under COM Security, edit Access Permissions and Launch and Activation Permissions.
• Add “svc_vscope” with full permissions for both.

This enables necessary DCOM permissions for the user.

Enable WinRM

• In Command Prompt, enter:

  winrm configSDDL default

• Add “svc_vscope” to the permissions list, allowing Read(Get, Enumerate, Subscribe) and Execute(Invoke) actions.

The domain user now has remote WMI/WinRM access to the target machine.

Optional Configurations for Additional Access

If WMI does not work after the previous setup, try the following configurations:

Open Firewall for WMI Traffic

Run the following command in Command Prompt:

netsh advfirewall firewall set rule group="windows management instrumentation (wmi)" new enable=yes

Disable User Account Control (UAC) for Remote Access

1. Open regedit.
2. Set the following registry key from 0 to 1:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy

• 0 = Remote UAC access token filtering is enabled.
• 1 = Remote UAC is disabled.

Reference: Microsoft documentation on User Account Control and Remote Restriction

Enable RPC Permissions on a Single Target Machine

1. Open Microsoft Management Console (mmc) on the target machine.
2. Add the “Group Policy Object Editor” snap-in.
3. Navigate to Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall > Domain Profile (or Standard Profile for a Workgroup network).
4. Edit Windows Firewall: Allow Remote Administration Exception.
5. Set to Enabled and allow unsolicited incoming messages from “localsubnet” (no quotes).
6. Apply settings and run gpupdate /force if immediate application is required.