To create a non-administrator-based service account for Netreo follow these steps:
Create the Service Account
First, you will need to create the service account you wish to use to monitor your Windows servers. It is imperative this account be used only for Netreo management and is not shared with any other applications or users.
Put the newly created user into the following domain groups:
- Depending on your version of Windows Server
- For Windows Server versions prior to 2019 put the user in Performance Log Users
- For Windows Server 2019 and later put the user in Performance Monitor
- For all Windows Server versions also put the user in Distributed COM Users
You must now make sure that the Distributed COM Users group actually has permissions to access WMI.
Enable WMI access
Launch the Active Directory Users and Computers tool, select WMI Access from the list and open its properties. On the Member Of tab add the Distributed COM Users group to the list.
Configure DCOM Security for the Group
Now, you must configure DCOM security for the group.
- Run Component Services from the Windows Start Menu by selecting Start > Administrative Tools > Component Services.
- Once it opens, expand Console Root, then Computers, and finally My Computer. Right-click on My Computer and select Properties.
- In the dialog that appears select the COM Security tab.
- In the Access Permissions section select Edit Limits.
- Select the Distributed COM Users group and ensure that all items under Allow are checked.
- Once you’ve reviewed the settings for Distributed COM Users, select OK to save your changes and be returned back to the COM Security tab.
- In the Launch and Activation Permissions section select Edit Limits.
- You are presented with a list of groups and permissions. Select the Distributed COM Users group and ensure that all items under Allow are checked.
- Select OK to save your changes.
- Exit the Component Services utility.
Next, set WMI namespace security so that the Distributed COM Users group has access to WMI objects.
- Go to the Windows Start menu select Run. In the window that opens, in the Open: field type
wmimgmt.mscand select OK.
- Once it opens, right-click on WMI Control (Local) and select Properties.
- In the properties panel select the Security tab.
- Select Security at the bottom right of the window. This edits the security settings for the root WMI namespace.
- You now see a window that has the security settings for WMI for this machine. Select Advanced.
- You now see the advanced security settings for this WMI namespace. Add the Netreo service user account to the list and give at least the following Allow permissions (make sure that these permissions apply to this namespace and all the namespaces under it by selecting This namespace and sub-namespaces in the dropdown box above the permissions list window.):
- Select OK to save the new permissions.
- Select OK again to exit out of the Advanced Security Settings for Root panel.
- Select OK again to exit the security properties.
Enable Access to the Win32_Services Object
You’ll also have to enable access to the Win32_Services object. The simplest way to do this is via the command prompt.
- Right-click on the Windows CMD menu entry and select Run as Administrator.
- Paste in the following commands:
sc sdset SCMANAGER D:(A;;CCLCRPRC;;;AU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD) reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f
The change should take effect immediately.
It appears UAC needs to be disabled for these types of remote WMI queries to work.
With UAC running, an administrator account actually has two security tokens, a normal user token and an administrator token (which is only activated when you pass the UAC prompt).
Unfortunately, remote requests that come in over the network get the normal user token for the administrator; and since there is no way to handle a UAC prompt remotely, the token can’t be elevated to the true-administrator security token.
See this Microsoft article for information on how to disable UAC: https://docs.microsoft.com/en-US/troubleshoot/windows-server/windows-security/user-account-control-and-remote-restriction