Getting Started

Running without Administrator Privileges in Windows

Microsoft recommends administrator level permissions to ensure remote WMI functionality, which the Collector depends on. However, it is possible to run without administrator privileges with some additional settings. This method works in most, but not all cases. Therefore, technical support is provided on a best-effort basis for this workaround.

Note: The method documented here will not work for Windows domain controllers. For more information on monitoring domain controllers without administer privileges, see Monitoring a Domain Controller (DC).

To attempt this setup, complete the following steps:

  1. Create the new user, preferably as a domain account, or alternatively on each monitored system.
  2. Grant the user remote WMI rights.
  3. Grant the user remote DCOM rights, if applicable.

Granting Remote WMI Rights

To give the user remote WMI rights, log on to each system to be monitored and complete the following procedure:

  1. In the Control Panel, double-click Administrative Tools.
  2. In the Administrative Tools window, double-click Computer Management.
  3. In the Computer Management window, expand the Services and Applications tree and double-click the WMI Control.
  4. Right-click the WMI Control icon and select Properties, and then select the Security tab.
  5. Select the "Root" object, then click Security.
  6. Click Add to add the user that the service is to run as to the list.
  7. Check Execute Methods and Remote Enable.
  8. Click Advanced.
  9. Select the new user, and click Edit.
  10. Change the Apply To drop down menu to This namespace and subnamespsaces.
  11. Click OK three times to close the dialog boxes.

Granting Remote DCOM Rights

If any of the following apply to your Collector account, you'll need to grant DCOM rights:

  • Collector service running as a non-domain account
  • Collector resides in a different domain that is untrusted by the monitored host
  • Collector connects to remote computers not as a local administrator

To grant the user DCOM rights, log on to each system to be monitored and complete the following procedure:

  1. Click Start, click Run, type DCOMCNFG, and then click OK.
  2. In the Component Services dialog box, expand Component Services > Computers, and then right-click My Computer and click Properties.
  3. In the My Computer Properties dialog box, select the COM Security tab.
  4. Under Launch and Activation Permissions, click Edit Limits.
  5. In the Launch Permission dialog box, follow these steps if your name or your group does not appear in the Groups or user names list:
    1. Click Add.
    2. In the Select Users, Computers, or Groups dialog box, add the account name in the Enter the object names to select field, and then click OK.
  6. In the Launch Permission dialog box, select your user in the Group or user names box. In the Allow column under Permissions for User, check Remote Launch and Remote Activation, and then click OK.

The following procedure describes how to grant DCOM remote access permissions for certain users and groups. If Computer A is connecting remotely to Computer B, you can set these permissions on Computer B to allow a user or group that is not part of the Administrators group on Computer B to connect to Computer B.

  1. Click Start, click Run, type DCOMCNFG, and then click OK.
  2. In the Component Services dialog box, expand Component Services > Computers, and then right-click My Computer and click Properties.
  3. In the My Computer Properties dialog box, select the COM Security tab.
  4. Under Access Permissions, click Edit Limits.
  5. In the Access Permission dialog box, select ANONYMOUS LOGON in the Group or user names box. In the Allow column under Permissions for User, select Remote Access, and then click OK.

For more information, see Securing a Remote WMI Connection.