Come join our live training webinar every other Wednesday at 11am PST and hear LogicMonitor experts explain best practices and answer common questions. We understand these are uncertain times, and we are here to help!
Microsoft recommends Administrator group membership to ensure remote WMI functionality. However, you can run the remote WMI functionality without administrator privileges with some additional settings. This method works in most cases but not for all cases. Therefore, the assistance provided by your LogicMonitor support team may be limited and on a best-effort basis.
Note: This information also applies to Active Directory Domain Controllers. Also, you can run the group membership adjustments for domain controllers via “Active Directory Users and Computers” rather than “Local Users and Groups”. When a Windows host is promoted to a Domain Controller local group memberships are migrated into the BUILTIN groups within ADUC.
You can complete the following steps to run the services without administrator privileges.
To give the user remote WMI rights, log on to each system to be monitored and complete the following procedure:
If any of the following apply to the LogicMonitor Collector services, you may need to grant DCOM rights:
To grant the user DCOM rights, log on to each system to be monitored and complete the following procedure:
The following procedure describes how to grant DCOM remote access permissions for certain users and groups. If you are connecting computer A to computer B remotely. You can set permissions on computer B to allow a user group that is not a part of the Administrator’s group on computer B to connect to computer B.
For more information, see Securing a Remote WMI Connection.
Even after employing the mentioned methods, you may be required to review and adjust Windows Service permissions.
You can use one of the following tools to adjust Windows service permissions granting read-only access to the account in which you are using to monitor the host.
Process Explorer
https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer
subinacl.exe
https://social.technet.microsoft.com/wiki/contents/articles/51625.subinacl-a-complete-solution-to-configure-security-permission.aspx
sc.exe
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc754599(v=ws.11)
To change the permissions of Service Control Manager (SCManager) and the Win32_services, complete the following steps:
Note: The steps to change permissions for SCManager and Win32_services are the same.
1. To get the SID of the LogicMonitor user, run the following command in Powershell to retrieve the SID. [wmi] "win32_useraccount.domain='<domainName>',name='<userName>'"
[wmi] "win32_useraccount.domain='<domainName>',name='<userName>'"
2. To get the SDDL of a SCManager, run the following command in the cmd prompt. sc sdshow scmanagerSample of the retrieved SDDL: D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)
sc sdshow scmanager
D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)
3. Modify the retrieved SDDL.
Note: You can either create your own ACL’s or you can copy the segment from the SDDL which ends with Interactive Users (IU), i.e (A;;CCLCRPRC;;;IU). For more information on creating ACLs, see ACE Strings.
A;;CCLCRPRC;;;IU)
4. Once you retrieve the SDDL using the sc sdshow scmanager command, copy the segment that ends with IU in SDDL. For eg. (A;;CCLCRPRC;;;IU).
A;;CCLCRPRC;;;IU
5. Replace IU with the SID of the LogicMonitor user.Example: (A;;CCLCRPRC;;;S-1-5-21-265800110-2195697097-2714329818-1112).6. After replacing SID, paste the new segment after the IU segment in the retrieved SDDL.Following is the example of the new SDDL:
A;;CCLCRPRC;;;S-1-5-21-265800110-2195697097-2714329818-1112
D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU) (A;;CCLCRPRC;;;S-1-5-21-265800110-2195697097-2714329818-1112)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA) S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)
Note: The earlier example allows various permissions to the LogicMonitor user. You can either restrict the user from having multiple permissions or grant minimal permissions.
For example, the ACL (A;;RPRC;;;IU) allows the Read Permissions to read all the properties of a Windows Service. If you want to grant more permissions, refer to ACE Strings and add the strings between double semi colons(;;) and triple semi colons(;;;) of the ACL.
A;;RPRC;;;IU
6. Set the new SDDL as the security descriptor of the SCManager.sc sdset scmanager “D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU) (A;;CCLCRPRC;;;S-1-5-21-265800110-2195697097-2714329818-1112)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA) S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)
sc sdset scmanager “D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU) (A;;CCLCRPRC;;;S-1-5-21-265800110-2195697097-2714329818-1112)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA) S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)
Note : To change the Win32_services, you can perform all the steps for changing permissions of SCManager. Ensure to replace scmanager with serviceName of your windows service.
Example:The following command would display the security descriptor of the App-Management service.sc sdshow AppMgmt
sc sdshow AppMgmt
In This Article