Forum Discussion

Eric_Singer's avatar
7 years ago

PSA: Collect from windows systems without admin rights

Don't know if anyone else noticed, but MS released a pretty slick script that enables WMI access remotely without admin rights.  I have done a brief test with LM and it seems to be working well.

https://blogs.technet.microsoft.com/askpfeplat/2018/04/30/delegate-wmi-access-to-domain-controllers/

That's the article.  I created an AD group instead of a user to delegate, and I put the LM collector service in that group.  Everything else I've followed as documented.

I haven't tested anything else, but this alone is a huge step in the right direction.  

  • Hi,

    Wanted to provide an update.  Unfortunately, I've been finding a number of missing data sources.  They're not always easy to spot, but one perfect example is anything that's monitoring a windows service.  I have a fix for that, but it's still not a complete fix.  There are many services (such as the cluster service) that are limited to only to local admins / system.  So even if you follow the fix I'll share, you still aren't going to get all the services.

    At this point, it doesn't even seem if you had a local LM account without admin rights that you would get everything without more work.  

    As for monitoring services, you need to run this command once on each host you want to monitor.

    Start-Process -FilePath "sc.exe" -ArgumentList "sdset SCMANAGER D:(A;;CCLCRPRC;;;AU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)" -Wait -NoNewWindow
     

  • 36 minutes ago, IT GUY said:

    Thanks Eric that makes sense.

    Also did you have any issues runnning the Set-WMINameSecurity powershell script as a scheduled task? Manuallly running the power shell commands it adds the correct wmi permission but it seems running from task schedule it doesn't do anything.

     

    What I ended up doing was taking all the individual actions MS recommended in their task and add them into a single powershell script that i called without any parameters.

    I called their script inside that script.

    • For example, i created a folder using GPP on the local system called "remote wmi access"
    • I then copied MS script "set-wmi....."
    • I then copied custom script with the below commands in it to the same folder
    • Finally, I had my schedule task call the custom script locally, so "powershell.exe -file "customscript.ps1"

    . "c:\scripts\Remote WMI Access\Set-WMINameSpaceSecurity.ps1" -namespace root/cimv2 -account “domain\Group or user” -operation Add -permissions Enable
    . "c:\scripts\Remote WMI Access\Set-WMINameSpaceSecurity.ps1" -namespace root/cimv2 -account “domain\Group or user”” -operation Add -permissions RemoteAccess
    Restart-Service winmgmt -force

  • 13 hours ago, Eric Singer said:

    Sorry for any confusion.  The LogicMonitor collector service must still run as a local admin account, at least as far as i'm aware.  The solution is to allow that collector to remotely pole Windows devices with a service account that isn't a local admin.

    Meaning:

    Collector Server Name = WinCollector

    Collector Account = UserCollector

    Remote Server to Poll = "RemoteServerIWantToPoll"

    The account "UserCollector" must be a local admin on the server "WinCollector" BUT the service account "UserCollector" doesn't need to be a local admin on server "RemoteServerIWantToPoll".

    Thanks Eric that makes sense.

    Also did you have any issues runnning the Set-WMINameSecurity powershell script as a scheduled task? Manuallly running the power shell commands it adds the correct wmi permission but it seems running from task schedule it doesn't do anything.

  • 4 hours ago, IT GUY said:

    I'm trying to implement this on a 2016 server and running into some issues. The logic monitor service doesn't start even though the service account is in  the local distributed com users group. Putting the account into administrators group works.

    Event log shows that the service account doesn't have dcom permissions which is strange since it's in the group that's' supposed to give it access to DCOM. Any help would be interested.

    Sorry for any confusion.  The LogicMonitor collector service must still run as a local admin account, at least as far as i'm aware.  The solution is to allow that collector to remotely pole Windows devices with a service account that isn't a local admin.

    Meaning:

    Collector Server Name = WinCollector

    Collector Account = UserCollector

    Remote Server to Poll = "RemoteServerIWantToPoll"

    The account "UserCollector" must be a local admin on the server "WinCollector" BUT the service account "UserCollector" doesn't need to be a local admin on server "RemoteServerIWantToPoll".

  • On 7/12/2018 at 12:43 PM, Eric Singer said:

     

    I wanted to add one more step, you also need to add that same account you're delegating access to in the MS article to the "performance monitor users" local group as well.  Then restart the collector.

    I'm trying to implement this on a 2016 server and running into some issues. The logic monitor service doesn't start even though the service account is in  the local distributed com users group. Putting the account into administrators group works.

    Event log shows that the service account doesn't have dcom permissions which is strange since it's in the group that's' supposed to give it access to DCOM. Any help would be interested.

  • 23 hours ago, Eric Singer said:

    Don't know if anyone else noticed, but MS released a pretty slick script that enables WMI access remotely without admin rights.  I have done a brief test with LM and it seems to be working well.

    https://blogs.technet.microsoft.com/askpfeplat/2018/04/30/delegate-wmi-access-to-domain-controllers/

    That's the article.  I created an AD group instead of a user to delegate, and I put the LM collector service in that group.  Everything else I've followed as documented.

    I haven't tested anything else, but this alone is a huge step in the right direction.  

     

    I wanted to add one more step, you also need to add that same account you're delegating access to in the MS article to the "performance monitor users" local group as well.  Then restart the collector.

  • Thanks Eric! I have been attempting to engage with the Microsoft mothership on this issue for some time and getting the brick wall.

    We'll investigate this solution and integrate into our Windows Collectors as appropriate.