Menu
I need to query some WMI classes on Servers that I do not have permissions. Here is the error I get when I run it.
PS> get-ciminstance -ComputerName test.mydomain.com -ClassName Win32_OperatingSystem
get-ciminstance : Access is denied.
At line:1 char:1
+ get-ciminstance -ComputerName test.mydomain.com -ClassName Win32_Operating ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (root\cimv2:Win32_OperatingSystem:String) [Get-CimInstance], CimException
+ FullyQualifiedErrorId : HRESULT 0x80070005,Microsoft.Management.Infrastructure.CimCmdlets.GetCimInstanceCommand
+ PSComputerName : test.mydomain.com
Right now server has PowerShell 2, so it uses DCOM but I will get the PowerShell upgraded and configured to allow WSMAN connections.
But what are the permissions that need to be granted to the account?
372
The “Common Information Model” (CIM) is an open-source standard for accessing and displaying information about a computer. It's an industry standard that's been around for many years, but it has no method included to access data on a remote computer. WMI is Microsoft's version of CIM.
A CIM session is a client-side object representing a connection to a local computer or a remote computer. The CIM session contains information about the connection, such as ComputerName, the protocol used, or various identifiers. This cmdlet returns a CIM session object that can be used by all other CIM cmdlets.
The Get-CimInstance cmdlet available in PowerShell V3 can be used to retrieve WMI information from a remote computer using the WSMAN protocol instead of the legacy WMI service that uses DCOM and RPC.
By default, Administrators (local) and Authenticated Users (domain) have at least read rights to the namespace. You need to ensure you can login/authenticate to the server. It's worth mentioning that the Authenticated Users group does not have Remote Enable permission by default.
The Windows OS uses WinRM for CIM cmdlets and the user account needs to be an administrator. WinRM makes a local group called WinRMRemoteWMIUsers_ and gives access to just the Administrators group and WinRMRemoteWMIUsers_. To add a user to that group use the following command:
net localgroup WinRMRemoteWMIUsers__ /add "domain\user"
The abstract answer is simply that you need to be granted Enable Account and Remote Enable permissions to the Namespace to have WMI read rights remotely.
Process to Verify WMI Permissions
Login to the server and launch mmc.exe. Add the WMI snapin and once it loads, right click on WMI Control. When the Properties window opens, click security, expand root and select cimv2. Click the security button and view who is granted access and what access is granted.
Script to Test w/ DCOM
If you want to test using DCOM, or need to because the server OS is too old, use this script:
$Computer = thisbox.domain.com
$CimOption = New-CimSessionOption -Protocol Dcom
$CimSession = New-CimSession -ComputerName $Computer -SessionOption $CimOption
Get-CimInstance -ClassName win32_operatingsystem -CimSession $CimSession
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
