You are here: Home > Products > Network Inventory Explorer > Online Help > Configuring WMI Access Remotely Using Group Policy

Configuring WMI Access Remotely Using Group Policy

You should not meet any difficulties when collecting the inventory data using WMI from domain computers. But unfortunately, problems occur sometimes. They can be caused by changing the security settings or by some other reason. If errors arise while the program is trying to access domain computers via WMI, the problem can be solved remotely with the help of the following instruction on using Group Policy settings.

1. Starting Policy Editor

"Start" – "Run..." – "mmc".

Select the menu item "File" – "Add/Remove Snap-in...".

Select "Group Policy Management Editor" and click "Add >". Click "OK".

Select the "Default Domain Policy" node on the console tree.

 

2. UAC (User Account Control) Configuration

Starting from Vista, Windows has got the User Account Control component (UAC). When it starts programs by default, they work under a standard user access token. If the administrator rights are necessary for some action, the system prompts the user to change or "elevate" the security context from a standard user to an administrator. Remote requests are always executed under the user access token a remote user cannot be controlled by UAC while something is executed locally. That is why we need to configure UAC to provide the remote access to DCOM.

1) Select the node "Default Domain Controllers Policy\Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options" and set the "User Account Control: Run all administrators in Admin Approval Mode" option's setting to "Disabled".

2) Set the "User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode" policy's setting to the "Elevate without prompting" value.

3) Set the "User Account Control: Detect application installations and prompt for elevation" policy's setting to the "Disabled" value.

 

3. Windows Firewall Configuration

The Windows Firewall should allow the DCOM protocol. It is necessary for the remote WMI request execution (ports 135 and 445).

To configure the Firewall, go to this node in the console: "Default Domain Controllers Policy\Computer Configuration\Windows Settings\Security Settings".

In Windows Server 2003 settings, enable the setting "Allow exceptions for remote administration". This will allow the DCOM and WMI execution.

For newer Windows Server versions, the "WMI" and "Remote Administration" pre-defined rules exist. You can configure these rules in the "Inbound Rules" sub-menu, using the "New Rule" context menu.

 

4. Switching to Classic Access Model

In the console node "Default Domain Controllers Policy\Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options", select the "Network access: Sharing and security model for local accounts" parameter and set it to the "Classic – local users authenticate as themselves".

Disable the "Accounts: Limit local account use of blank passwords to console logon only" setting.

 

5. Required Services

Go to the "Default Domain Controllers Policy\Computer Configuration\Windows Settings\Security Settings\System Services" node.

Enable the following system services:

1) RPCSs - Remote Procedure Call (RPC)

2) DCOMLaunch - DCOM Server Process Launcher

3) LanManServer - Server

 

6. DCOM Configuration

Go to the "Default Domain Controllers Policy\Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options" node.

Edit restrictions on the DCOM access and execution. Click twice on the "DCOM: Machine Access Restrictions…", click "Edit Security", add a user account which is used for the inventory data collection, and enable these options for providing access to: "Local Launch", "Remote Launch", "Local Activation", and "Remote Activation".

 

See also:
WMI Access Troubleshooting Guide
WMI Polling Errors Displayed by the Program
Frequently Asked Questions (FAQ)