We have been using the UCMDB DDM Mapping tool for a while. We keep running into roadblocks with the WMI Discovery for Windows Hosts. Ever since Windows Server 2003 SP1, the WMI Namespaces have been locked down in such a way that the easiest way to get around this is to grant the probe Administrator rights across the domain.
For some valid reasons, our network administrators do not want to grant this level of access. Has anyone come across the specific permissions that need to be granted in order to get the WMI discoveries to work correctly? How are you guys getting around this issue?
We have been setting up the SNMP Agent on the Windows environment to pull some of the data so we can do dynamic maps, but this is less than ideal. Thanks, Stephen
P.S. This thread has been moved from Application Perf Mgmt (BAC / BSM) Support and News Forum to CMS and Discovery Support and News Forum. - Hp forum Moderator
We define a domain user into windows production domain with minimum access rights. Then, we have configured local privileges as described below:
- Grant access to the COM object by adding the domain user/group to the local group "Distributed COM Users" - Grant "Remote Enable" access to the domain user/group to the WMI namespace \ROOT\cimv2 and all subnamepaces.
Thank you for your response. I tried what you recommended, and I cannot run the WMI query "SELECT DisplayName,StartMode,State,AcceptPause,Description,PathName FROM Win32_Service" with the permissions set as you have described.
The Network User was able to access the WMI namespace using wbemtest, but when I went to execute the query, I got an "unspecified error". I tried a couple of different WMI Permission sets, including just the "Remote Enable" permission.
Also, my discovery of services won't work, unless I add the Network User into the local Administrator group. Thanks, Stephen
My network admins are pretty understandably concerned about having to give Administrator rights to the probe to get this information.
I've thought about locking down the probe box, and granting the local computer account the DA right to the network, but would that be an option? You wouldn't know necessarily what the password is for the account, as it's hidden.
I think the biggest concern is the fear of the unknown of what damage the product can do if it has the elevated rights. How are folks presenting this to management? Thanks, Stephen
I was able to overcome some of these challenges by giving the use case for the value provided to support an enterprise audit requests. Once we illustrated how we (our team) could be a one-stop-shop for audit reports, credentials and access were quickly provided.