WMIC GPO

From Help
Jump to: navigation, search

Instructions for enabling WMI domain-wide for all users. You may also need to do additional steps on the server-level if you get access errors.

NOTE: This GPO will open up WMI to "Everyone" in your domain. You should probably restrict this to only Administrators, specific users, etc.

Return to Main Page

Group Policy

  • Open the Group Policy Management on your DC.
  • Right-click on your domain, and choose Create a GPO in this domain, and Link it here...
  • Name it WMI or such
  • Right-click on it and choose Edit
  • Go to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options
  • Select Properties at: DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax
  • Check the Define this policy setting
  • Select Edit Security
  • Click Add
  • Under Enter the object names to select: Enter Everyone and click Check Names. The user is now filled in automatically
  • Click OKto exit the Select... popup
  • Select Everyone
  • Under Permissions: Tick Allow on both Local Access and Remote Access
  • Click OKto close the Access Permission popup
  • Click OKto close the DCOM popup
  • Select Properties under: DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax
  • Check Define this policy setting
  • Select Edit Security
  • If Everyone is already in the list, make sure all four permissions (Local Launch, Remote Launch, Local Activation and Remote Activation) are ticked
  • Else, click Add
  • Under Enter the object names to select: Enter Everyone and click Check Names. The user is now filled in automatically
  • Click OK to exit the "Select..." popup
  • Select Everyone
  • Under Permissions: Tick Allow at Local Launch, Remote Launch, Local Activation and Remote Activation
  • Click OK to close the Access Permission popup
  • Click OK to close the DCOM popup
  • Exit GPEdit
  • Right-click on the GPO and make sure it is "Enforced"

Return to Top

WMI namespace

Rights for WMI namespace: These settings can not be done with a regular GPO. For a user who is not Admin this step is critical and must be done exactly as instructed below. If not properly done, login attempts via WMI results in Access Denied.

This will need to be done on a per-server basis IF you run into and "Access Denied" issues.

  • Run wmimgmt.msc from an administrative command prompt
    • Right-click WMI Control, and select Properties
  • Select the Security tab
  • Select Root of the tree and click on Security (bottom right of "WMI Control (Local) Properties")
  • Click Add …
  • Under Enter the object names to select: Enter "Everyone" and click Check Names. The user is now filled in automatically
  • Click OK to exit the "Select..." popup
  • Select Everyone
  • Select Allow for Execute Methods, Full Write, Enable Account, Remote Enable, Read Security and Edit Security under Permissions for Everyone
  • Mark Everyone and click Advanced
  • Under the Permission tab: Select Everyone
  • Click Edit
  • Under Applies To-list: Choose This namespace and all subnamespaces. It is very important that the rights are applied recursively down the entire tree!
  • Click OK to exit the "Permission Entry for Root"
  • Click OK to exit "Advanced Security Settings for Root"
  • Click OK to exit "Security for Root"
  • Click OK to exit "WMI Control (Local) Properties"

Return to Top

References

  • External URL name 1
    • External URL link 1

Return to Top