Setting up WMI on Target Machines without using an administrator

vScope can use the WMI protocol to inventory Windows OS machines. This also includes Hyper-V machines and the VMM.

  • When setting up a WMI service account for vScope, it is easiest to use permissions of a local administrator on the machine. Using the local Adminstrators group for example.
  • If a domain user is to be used, we recommended using a group in Active Directory that is assigned access, and then adding the domain user to that group.
  • In this guide we’re giving WMI access to an AD group, but the steps could technically be done for a domain or local user.

1. Create group in Active Directory

Create a group called eg. “WMI Access Users” in your Active Directory.

2. Add the AD group to the local default group Distributed COM Users

2.1 Open lusrmgr.msc.

2.2 Go to Groups.

2.3 Open “Distributed COM Users” and add the group “WMI Access Users”. Click apply.

3. Setting WMI permissions

3.1 Write “wmimgmt.msc” in the command prompt

3.2 Right click on “WMI Control” and select properties 


3.3 Go to the “Security”-tab, mark “Root” in the tree structure and click on “Security”.

3.4 Select “Advanced”.

3.5 Click “Add”.

3.6 Click “Select a principal”.

3.7 Enter the group name and click “OK”.

3.8 Under “Applies to:”, ensure it’s set to “This namespace and subnamespaces”, then check boxes for Execute Methods, Enable Account, Remote Enable and Read Security. Then, click “OK”.

3.9 Click “Apply”, and “OK” to close and save settings in all windows.

4. DCOM-permissions

4.1 Open “dcomcnfg”.

4.2 Expand ‘Component Services’ –> ‘Computers’, and right-click on ‘My Computer’ and select ‘Properties’

4.3 Select the “COM Security” tab and click “Edit Default…” for both “Access Permissions” and “Launch and Activation Permissions”.

4.4 Access Permissions. Add “WMI Access Users” group and allow all permissions in the boxes below. Click OK.

4.5 Launch and Activation Permission. Add “WMI Access Users” group and allow all permissions in the boxes below. Click OK.

4.6 Click “Apply” and OK in all windows to close and save settings.

And that’s it. The AD group, and its users, will now have remote WMI access to the machine.


If WMI doesn’t work after the previous permission setup it may be because of local settings on the machine. Below are common configurations that may be needed.

Open firewalls for WMI traffic

Enter the following in the command prompt: “netsh advfirewall firewall set rule group=”windows management instrumentation (wmi)” new enable=yes”

Turn off UAC

If UAC is not turned off, vScope might have trouble accessing some information.

1. Access “regedit”.

2. Change the following key from 0 to 1:


3. Close regedit

0 = Remote UAC access token filtering is enabled.
1 = Remote UAC is disabled.

Read more at:

Enable RPC permissions on a single target machine:

  1. Run Microsoft Management Console on the target machine (Start|Run|mmc)
  2. Add “Group Policy Object Editor” snap-in (File|Add/Remove Snap-in…|Add…|Group Policy)
  3. Select the “Local Computer” Group Policy Object for which you want to enable RPC
  4. Navigate to: [Group Policy Object]|Computer Configuration|Administrative Templates|Network|Network Connections|Windows Firewall|Domain Profile ( for a Domain administered network – Standard Profile for a Workgroup network )
  5. Edit Setting: “Windows Firewall: Allow Remote Administration Exception”
  6. Set “Enabled”.
  7. Set “Allow unsolicited incoming messages from:” to “localsubnet” (without the quotes)
  8. Apply settings
  9. These settings will not generally take effect immediately. You can use Microsoft’s Group Policy Update Utility to force immediate updates.

WMI troubleshooting articles


Leave a Reply