1. Home
  2. Tutorials and How Tos
  3. How to Create a Non-Administrator-Based Service Account in Windows

How to Create a Non-Administrator-Based Service Account in Windows

Warning

This document is intended for experienced Windows administrators. Although many customers have used these instructions without issue, Netreo is not responsible for any adverse effects on your server or environment if you attempt these changes. If you have questions, please contact Netreo Support before proceeding.

To create a non-administrator-based service account for OmniCenter follow these steps:

Create a service account

First, you will need to create the service account you wish to use to monitor your Windows servers. It is imperative this account be used only for OmniCenter management and is not shared with any other applications or users.

Put the newly created user into the following domain groups:

  • Performance Log Users
  • Distributed COM Users

You must now make sure that the “Distributed COM Users” group actually has permissions to access WMI.

Enable WMI access

Launch the “Active Directory Users and Computers” tool, select WMI Access from the list and open its properties. On the “Member Of” tab, add the “Distributed COM Users” group to the list.

Configure DCOM Security for the Group

Now, you must configure DCOM security for the group.

  1. Run Component Services from the Windows Start Menu by selecting Start → Administrative Tools → Component Services.
  2. Once it opens, expand “Console Root,” then “Computers,” and finally “My Computer.” Right-click on “My Computer” and select Properties.
  3. In the dialog that appears, click on the “COM Security” tab.
  4. In the “Access Permissions” section, click Edit Limits….
  5. Ensure that the “Distributed COM Users” group has all items checked under “Allow”.
  6. Once you’ve reviewed the settings for “Distributed COM Users,” click OK to save your changes and be returned back to the “COM Security” tab.
  7. Now, in the “Launch and Activation Permissions” section, click Edit Limits….
  8. You are presented with a list of groups and permissions. Ensure that the “Distributed COM Users” group has all items checked under Allow.
  9. Click OK to save your changes.
  10. Exit the Component Services utility.

Next, set WMI namespace security so that the “Distributed COM Users” group has access to WMI objects.

  1. From the Windows Start menu, select Run…, and in the window that opens, type wmimgmt.msc in the “Open:” field and click OK.
  2. Once it opens, right-click on “WMI Control (Local)” and click Properties.
  3. In the properties panel, click on the “Security” tab.
  4. Click on the Security button at the bottom right of the window. This edits the security settings for the root WMI namespace.
  5. You’ll now see a window that has the security settings for WMI for this machine. Click Advanced.
  6. You’ll now see the advanced security settings for this WMI namespace. Add the Netreo service user account to the list, and give at least the following “Allow” permissions (make sure that these permissions apply to this namespace and all the namespaces under it, by selecting “This namespace and sub-namespaces” in the dropdown box above the permissions list window.):
    • Execute Methods
    • Enable Account
    • Remote Enable
    • Read Security
  7. Click OK to save the new permissions.
  8. Click OK again to exit out of the “Advanced Security Settings for Root” panel.
  9. Click OK again to exit the security properties.

Enable Access to the Win32_Services Object

You’ll also have to enable access to the Win32_Services object. The simplest way to do this is via the command prompt.

  1. Right-click on the Windows CMD menu entry and select the “Run as Administrator” option.
  2. Paste in the following commands, exactly as shown:
sc sdset SCMANAGER D:(A;;CCLCRPRC;;;AU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f

The change should take effect immediately.

UAC Issues

It appears UAC needs to be disabled for these type of remote WMI queries to work. With UAC running, an administrator account actually has two security tokens, a normal user token and an administrator token (which is only activated when you pass the UAC prompt). Unfortunately, remote requests that come in over the network get the normal user token for the administrator; and since there is no way to handle a UAC prompt remotely, the token can’t be elevated to the true-administrator security token.

Updated on April 11, 2019

Was this article helpful?

Need Support?
Can’t find the answer you’re looking for? Don’t worry we’re here to help!
Contact Support

Leave a Reply