WMI - access denied as non admin user

Hi,

So, I am stumped at the moment, but lets start with the basics:

Objective: Monitor some services on win 2012 servers R2.

----

Environment:

* domain environment except for the machine doing the wmi calls

----

The obvious:

* The query is "select * from win32_service ..."

* if the user is in the local admin groups it works

* the user can access locally the data

* The user has Exec Methods, Enable Account, Remote Enable, Read Security

* The DCOM security settings allow the user to get everything

* used sc sdset on scmanager and the service I want to check, no luck

----

Now

* I can monitor some other elements, though I have some limits (typically, I can't see the commandline for Win32_Process but I can see most of the rest. Though, if I add the user to admin group I get everything)

* I tried wmiexplorer too. same result, local no issue, remote not working. One note, on local without admin rights I do not see the command line either, but I execute "select * from Win32_Service" fine

----

So, which parameter am I missing ?

Thanks


  • Edited by O.Ragain Friday, April 24, 2015 5:40 PM
April 24th, 2015 5:29pm

Hi O.Ragain,

According to your description, you want to remote access remote workgroup from Server in a domain, in this case, please try to disbale Remote UAC by changing the registry entry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\LocalAccountTokenFilterPolicy, and set this entry as DWORD.
When the value of this entry is zero (0), Remote UAC access token filtering is enabled. When the value is 1, remote UAC is disabled.

Refer to:

WMI Access Denied - Get-WMIObject

I tested with the registry value and worked, if the issue still exist, please also refer to this thread:

Remote Get-Service as Normal user require other privileges

If there is anything else regarding this issue, please feel free to post back.

Best Regards,

Anna Wang

Free Windows Admin Tool Kit Click here and download it now
April 28th, 2015 1:25am

Hi,

Hmmm, so the servers I want to monitor are in a domain.

The server doing the monitoring is not. It is a CentOS machine.

so the flow is: workgroup -> domain not domain -> workgroup. Would what you propose still work ? I thought you had to disable that UAC only when the servers you wanted to remote query were not in a domain. Does the server doing the query also need to be in the domain for the UAC bit disable to not be necessary ?

Thanks

April 28th, 2015 1:28pm

Hi O.Ragain,

If you want to remote access domain server from workgroup, there is no need to modify the registry value to disable UAC.

If there is anything else regarding this issue, please feel free to post back.

Best Regards,

Anna Wang

Free Windows Admin Tool Kit Click here and download it now
April 28th, 2015 9:35pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics