Support Center Home

Windows Server Monitoring and Principle of Least Privilege

Microsoft recommends Administrator group membership to ensure remote WMI functionality. However, you can run the remote WMI functionality without administrator privileges with some additional settings. This method works in most cases but not for all cases. Therefore, the assistance provided by your LogicMonitor support team may be limited and on a best-effort basis.

Note: This information also applies to Active Directory Domain Controllers. Also, you can run the group membership adjustments for domain controllers via “Active Directory Users and Computers” rather than “Local Users and Groups”. When a Windows host is promoted to a Domain Controller local group memberships are migrated into the BUILTIN groups within ADUC.

You can complete the following steps to run the services without administrator privileges.

  1. Create the new user, commonly an active directory service account or a Windows local user for each monitored host.
  2. Grant the user remote WMI rights.
  3. Grant the user remote DCOM rights, if applicable.

Granting Remote WMI Rights

To give the user remote WMI rights, log on to each system to be monitored and complete the following procedure:

  1. In the Control Panel, double-click Administrative Tools.
  2. In the Administrative Tools window, double-click Computer Management.
  3. In the Computer Management window, expand the Services and Applications tree and double-click the WMI control.
  4. Right-click the WMI Control icon and select Properties, and then select the Security tab.
  5. Select the “Root” object, then click Security.
  6. Click Add to add the user that the service is to run as to the list.
  7. Check Execute Methods and Remote Enable.
  8. Click Advanced.
  9. Select the new user, and click Edit.
  10. Change the Apply To drop-down menu to This namespace and subnamespaces.
  11. Click OK three times to close the dialog boxes.

Granting Remote DCOM Rights

If any of the following apply to the LogicMonitor Collector services, you may need to grant DCOM rights:

  • Collector service running as a non-domain account
  • Collector resides in a different domain that is untrusted by the monitored host
  • Collector connects to remote computers, not as a local administrator

To grant the user DCOM rights, log on to each system to be monitored and complete the following procedure:

  1. Click Start, click Run, type DCOMCNFG, then click OK.
  2. In the Component Services dialog box, expand Component Services > Computers, then right-click My Computer and click Properties.
  3. In the My Computer Properties dialog box, select the COM Security tab.
  4. Under Launch and Activation Permissions, click Edit Limits.
  5. In the Launch Permission dialog box, complete the following steps if your name or your group does not appear in the Groups or user names list:

    a. Click Add

    b. In the Select Users, Computers, or Groups dialog box, add the account name in the Enter the object
    names to select field and then click OK.
  6. In the Launch Permission dialog box, select your user in the Group or user names box.
  7. Navigate to Permissions for User > Allow, select Remote Launch and Remote Activation, and click OK.

Granting DCOM remote access for certain users and groups

The following procedure describes how to grant DCOM remote access permissions for certain users and groups. If you are connecting computer A to computer B remotely. You can set permissions on computer B to allow a user group that is not a part of the Administrator’s group on computer B to connect to computer B.

  1. Click Start, click Run, type DCOMCNFG, then click OK.
  2. In the Component Services dialog box, expand Component Services > Computers, then right-click My
    Computer and click Properties.
  3. In the My Computer Properties dialog box, select the COM Security tab.
  4. Under Access Permissions, click Edit Limits.
  5. In the Access Permission dialog box, select ANONYMOUS LOGON in the Group or user names box.
  6. In the Allow column under Permissions for User, select Remote Access, and then click OK.

For more information, see Securing a Remote WMI Connection.

Windows Service Permissions

Even after employing the earlier mentioned methods, there may be situations where there are insufficient permissions to monitor Windows services.

You may use one of the following tools to adjust Windows service permissions granting read-only access to the account in which you are using to monitor the host.

Process Explorer

https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer

subinacl.exe

https://social.technet.microsoft.com/wiki/contents/articles/51625.subinacl-a-complete-solution-to-configure-security-permission.aspx

sc.exe

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc754599(v=ws.11)

In This Article