To create a non-administrator-based service account for OmniCenter follow these steps:
Create the Service Account
First, you will need to create the service account you wish to use to monitor your Windows servers. It is imperative this account be used only for OmniCenter management and is not shared with any other applications or users.
Put the newly created user into the following domain groups:
- Performance Log Users
- Distributed COM Users
You must now make sure that the “Distributed COM Users” group actually has permissions to access WMI.
Enable WMI access
Launch the “Active Directory Users and Computers” tool, select WMI Access from the list and open its properties. On the “Member Of” tab, add the “Distributed COM Users” group to the list.
Configure DCOM Security for the Group
Now, you must configure DCOM security for the group.
- Run Component Services from the Windows Start Menu by selecting Start → Administrative Tools → Component Services.
- Once it opens, expand “Console Root,” then “Computers,” and finally “My Computer.” Right-click on “My Computer” and select Properties.
- In the dialog that appears, click on the “COM Security” tab.
- In the “Access Permissions” section, click Edit Limits….
- Ensure that the “Distributed COM Users” group has all items checked under “Allow”.
- Once you’ve reviewed the settings for “Distributed COM Users,” click OK to save your changes and be returned back to the “COM Security” tab.
- Now, in the “Launch and Activation Permissions” section, click Edit Limits….
- You are presented with a list of groups and permissions. Ensure that the “Distributed COM Users” group has all items checked under Allow.
- Click OK to save your changes.
- Exit the Component Services utility.
Next, set WMI namespace security so that the “Distributed COM Users” group has access to WMI objects.
- From the Windows Start menu, select Run…, and in the window that opens, type
wmimgmt.mscin the “Open:” field and click OK.
- Once it opens, right-click on “WMI Control (Local)” and click Properties.
- In the properties panel, click on the “Security” tab.
- Click on the Security button at the bottom right of the window. This edits the security settings for the root WMI namespace.
- You’ll now see a window that has the security settings for WMI for this machine. Click Advanced.
- You’ll now see the advanced security settings for this WMI namespace. Add the Netreo service user account to the list, and give at least the following “Allow” permissions (make sure that these permissions apply to this namespace and all the namespaces under it, by selecting “This namespace and sub-namespaces” in the dropdown box above the permissions list window.):
- Click OK to save the new permissions.
- Click OK again to exit out of the “Advanced Security Settings for Root” panel.
- Click OK again to exit the security properties.
Enable Access to the Win32_Services Object
You’ll also have to enable access to the Win32_Services object. The simplest way to do this is via the command prompt.
- Right-click on the Windows CMD menu entry and select the “Run as Administrator” option.
- Paste in the following commands, exactly as shown:
sc sdset SCMANAGER D:(A;;CCLCRPRC;;;AU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD) reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f
The change should take effect immediately.
It appears UAC needs to be disabled for these types of remote WMI queries to work. With UAC running, an administrator account actually has two security tokens, a normal user token and an administrator token (which is only activated when you pass the UAC prompt). Unfortunately, remote requests that come in over the network get the normal user token for the administrator; and since there is no way to handle a UAC prompt remotely, the token can’t be elevated to the true-administrator security token.