- When setting up WMI-rights in vScope’s Credentials manager, it is recommended to use a domain-admin user account.This minimizes the risk of not being able to access the target machines.
- When using a local-admin user on target machines, or if the machines where vScope is installed is not on the same domain, then you might need to follow the below instructions.
- If a local domain user is to be used, it is recommended to create a dedicated WMI-user as described under A below.
- If an existing user or domain user is used, then make certain that all access rights under points C and D below are valid for that group, even if it is administrator.
A, Create user
- Open User account settings in the Control Panel
- Create a user called “vscope-wmi-user” and a password (preferably with domain administrator rights)
B, Start the WMI service
- Open the command prompt and write “services.msc”
- Find ‘Windows Management Instruction’. Right click and select properties
- Set ‘Startup type’ to ‘Automatic’ and click “start”
- Close the window with “OK”
C, Setting WMI permissions
- Write “wmimgmt.msc”in the command prompt
- Right click on “WMI Control” and select properties
- Click the ‘Security’-tab.
- Mark ‘Root’ in the tree structure and click on Security
- Click ‘Add..’ and write vscope-wmi-user under ‘Enter the object names to select’ and hit enter. the user is now added.
- Check boxes for Execute Methods, Enable Account, Remote Enable och Read Security under ‘Permissions for WMI’
- Make sure the wmi-user is marked and select Advanced
- Under the ‘Permissions’-tab, mark the new ‘wmi’-user end select ‘Edit..’. Change ‘Apply to’ to ‘This namespace and subnamespaces’. Click “OK”
- Click OK to close and save settings in all windows
- Write ‘dcomcnfg’ in the command prompt
- Expand ‘Component Services’ –> ‘Computers’, and right-click on ‘My Computer’ and select ‘Properties’
- Select the DCOM Security-tab. Click ‘Edit Limits…’ under both ‘Access Permissions’ and ‘Launch and Activation Permissions’. Then do the following:
- Click ‘Add…”, and enter ‘vscope-wmi-user’ under ‘Enter the object names to select’ and hit enter. The user ‘vscope-wmi-user’ is now added
- Check boxes for all permissions under ‘Permissions for ‘vscope-wmi-user’
- Click OK in all windows to close and save settings
E, Open firewalls for WMI-traffic
Enter the following in the command prompt: “netsh advfirewall firewall set rule group=”windows management instrumentation (wmi)” new enable=yes”
F, Turn off UAC
It is recommened to turn UAC off. If not turned off, vScope might have trouble accessing some information.
- Write ‘regedit’ in the command prompt
- Change the key ‘HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionPoliciessystemLocalAccountTokenFilterPolicy’ to 1
- Close regedit
0 = Remote UAC access token filtering is enabled.
1 = Remote UAC is disabled.
G, Enable RPC permissions on a single target machine:
- Run Microsoft Management Console on the target machine (Start|Run|mmc)
- Add “Group Policy Object Editor” snap-in (File|Add/Remove Snap-in…|Add…|Group Policy)
- Select the “Local Computer” Group Policy Object for which you want to enable RPC
- Navigate to: [Group Policy Object]|Computer Configuration|Administrative Templates|Network|Network Connections|Windows Firewall|Domain Profile ( for a Domain administered network – Standard Profile for a Workgroup network )
- Edit Setting: “Windows Firewall: Allow Remote Administration Exception”
- Set “Enabled”.
- Set “Allow unsolicited incoming messages from:” to “localsubnet” (without the quotes)
- Apply settings
- These settings will not generally take effect immediately. You can use Microsoft’s Group Policy Update Utility to force immediate updates ( see Microsoft’s article: “A Description of the Group Policy Update Utility” )
H, additional information
Connecting to WMI Remotely Starting with Windows Vista
User Account Control and WMI
Securing a Remote WMI Connection