Tuesday, August 2, 2011

WMI on windows for zenoss

taken somewhere from internet.

Yes, there shoulb be a difference between Administrator and users even in Administrators built-in group for the UAC (User Account Control) feature in Windows Vista and Windows Server 2008.

Under UAC, accounts in the local Administrators group have two access tokens, one with standard user privileges and one with administrator privileges. Because of UAC access token filtering, a remote WMI query is always run under the standard user token.

So for a computer in workgroup, even if the account is in the Administrators group, UAC filtering means that a script runs as a standard user. A best practice is to create a dedicated local user account on the target computer with explicit DCOM and WMI namespace access rights granted specifically for remote connections.

1. Open the Component Services by run 'dcomcnfg' in command prompt.
2. Expand Component Services--->Computers nodes and right click My Computer.
3. In the COM Security tab, explicitly grant the AdminB local and remote Lauch and Activation permissions in both 'Edit Limits…' and 'Edit Default…'.
4. Open the WMI management by run 'wmimgmt.msc' in command prompt.
5. Connect it to local, right click--->Properties--->Security. Grant the AdminB local account 'Execute Methods' and 'Remote Enable' permission apply onto 'This namespace and subnamespaces'.

Note: The permissions for AdminB in DCOM and WMI namespace is much depend on what will the script do. Please make necessary change to fulfill the specific require.

Hope it helps