• 0
Eric Singer

PSA: Collect from windows systems without admin rights

Question

Don't know if anyone else noticed, but MS released a pretty slick script that enables WMI access remotely without admin rights.  I have done a brief test with LM and it seems to be working well.

https://blogs.technet.microsoft.com/askpfeplat/2018/04/30/delegate-wmi-access-to-domain-controllers/

That's the article.  I created an AD group instead of a user to delegate, and I put the LM collector service in that group.  Everything else I've followed as documented.

I haven't tested anything else, but this alone is a huge step in the right direction.  

  • Like 1
  • Upvote 2

Share this post


Link to post
Share on other sites

7 answers to this question

Recommended Posts

  • 0

Thanks Eric! I have been attempting to engage with the Microsoft mothership on this issue for some time and getting the brick wall.

We'll investigate this solution and integrate into our Windows Collectors as appropriate.

Share this post


Link to post
Share on other sites
  • 0
23 hours ago, Eric Singer said:

Don't know if anyone else noticed, but MS released a pretty slick script that enables WMI access remotely without admin rights.  I have done a brief test with LM and it seems to be working well.

https://blogs.technet.microsoft.com/askpfeplat/2018/04/30/delegate-wmi-access-to-domain-controllers/

That's the article.  I created an AD group instead of a user to delegate, and I put the LM collector service in that group.  Everything else I've followed as documented.

I haven't tested anything else, but this alone is a huge step in the right direction.  

 

I wanted to add one more step, you also need to add that same account you're delegating access to in the MS article to the "performance monitor users" local group as well.  Then restart the collector.

Share this post


Link to post
Share on other sites
  • 0
On 7/12/2018 at 12:43 PM, Eric Singer said:

 

I wanted to add one more step, you also need to add that same account you're delegating access to in the MS article to the "performance monitor users" local group as well.  Then restart the collector.

I'm trying to implement this on a 2016 server and running into some issues. The logic monitor service doesn't start even though the service account is in  the local distributed com users group. Putting the account into administrators group works.

Event log shows that the service account doesn't have dcom permissions which is strange since it's in the group that's' supposed to give it access to DCOM. Any help would be interested.

Share this post


Link to post
Share on other sites
  • 0
4 hours ago, IT GUY said:

I'm trying to implement this on a 2016 server and running into some issues. The logic monitor service doesn't start even though the service account is in  the local distributed com users group. Putting the account into administrators group works.

Event log shows that the service account doesn't have dcom permissions which is strange since it's in the group that's' supposed to give it access to DCOM. Any help would be interested.

Sorry for any confusion.  The LogicMonitor collector service must still run as a local admin account, at least as far as i'm aware.  The solution is to allow that collector to remotely pole Windows devices with a service account that isn't a local admin.

Meaning:

Collector Server Name = WinCollector

Collector Account = UserCollector

Remote Server to Poll = "RemoteServerIWantToPoll"

The account "UserCollector" must be a local admin on the server "WinCollector" BUT the service account "UserCollector" doesn't need to be a local admin on server "RemoteServerIWantToPoll".

Share this post


Link to post
Share on other sites
  • 0
13 hours ago, Eric Singer said:

Sorry for any confusion.  The LogicMonitor collector service must still run as a local admin account, at least as far as i'm aware.  The solution is to allow that collector to remotely pole Windows devices with a service account that isn't a local admin.

Meaning:

Collector Server Name = WinCollector

Collector Account = UserCollector

Remote Server to Poll = "RemoteServerIWantToPoll"

The account "UserCollector" must be a local admin on the server "WinCollector" BUT the service account "UserCollector" doesn't need to be a local admin on server "RemoteServerIWantToPoll".

Thanks Eric that makes sense.

Also did you have any issues runnning the Set-WMINameSecurity powershell script as a scheduled task? Manuallly running the power shell commands it adds the correct wmi permission but it seems running from task schedule it doesn't do anything.

Share this post


Link to post
Share on other sites
  • 0
36 minutes ago, IT GUY said:

Thanks Eric that makes sense.

Also did you have any issues runnning the Set-WMINameSecurity powershell script as a scheduled task? Manuallly running the power shell commands it adds the correct wmi permission but it seems running from task schedule it doesn't do anything.

 

What I ended up doing was taking all the individual actions MS recommended in their task and add them into a single powershell script that i called without any parameters.

I called their script inside that script.

  • For example, i created a folder using GPP on the local system called "remote wmi access"
  • I then copied MS script "set-wmi....."
  • I then copied custom script with the below commands in it to the same folder
  • Finally, I had my schedule task call the custom script locally, so "powershell.exe -file "customscript.ps1"

. "c:\scripts\Remote WMI Access\Set-WMINameSpaceSecurity.ps1" -namespace root/cimv2 -account “domain\Group or user” -operation Add -permissions Enable
. "c:\scripts\Remote WMI Access\Set-WMINameSpaceSecurity.ps1" -namespace root/cimv2 -account “domain\Group or user”” -operation Add -permissions RemoteAccess
Restart-Service winmgmt -force

Edited by Eric Singer

Share this post


Link to post
Share on other sites
  • 0

Hi,

Wanted to provide an update.  Unfortunately, I've been finding a number of missing data sources.  They're not always easy to spot, but one perfect example is anything that's monitoring a windows service.  I have a fix for that, but it's still not a complete fix.  There are many services (such as the cluster service) that are limited to only to local admins / system.  So even if you follow the fix I'll share, you still aren't going to get all the services.

At this point, it doesn't even seem if you had a local LM account without admin rights that you would get everything without more work.  

As for monitoring services, you need to run this command once on each host you want to monitor.

Start-Process -FilePath "sc.exe" -ArgumentList "sdset SCMANAGER D:(A;;CCLCRPRC;;;AU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)" -Wait -NoNewWindow
 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Answer this question...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.