!WMI Security!
Keywords: Remote Remotely Connect Rights Permissions
Managing WMI security
Windows Management Instrumentation (WMI) supports a limited form of security that validates each user before the user is allowed to connect to WMI, on either the local computer or a remote computer. This security is layered on top of the operating system security. WMI does not override or circumvent security provided by the operating system.
By default, all members of the Administrators group have full control of the WMI services on the computer that is being managed. All others have read/write/execute permissions on their local computer only.
Permissions can be changed, either by adding a user to the Administrators group on the managed computer, or by authorizing users or groups in WMI and setting their permission level. Access is based on WMI namespaces.
On computers running Windows 95, Windows 98, or Windows Millennium Edition, all users have full control locally. However, permissions can be set for users managing a Windows 95, Windows 98, or Windows Millennium Edition computer remotely.
Security is checked only when a user connects to the Windows Management service. Thus, any changes made to a user's permissions while the user is connected will not take effect until the next time the user starts a WMI service. For example, if a user's access is revoked, the changes will not take effect until the user exits from WMI and attempts to connect to the service again.
To authorize WMI users and set permissions
- Open WMI Control (wmimgmt.msc). In the console tree, right-click WMI Control, and then click Properties.
- Click the Security tab.
- Select the namespace for which you want to give a user or group access, and then click Security.
- In the Security dialog box, click Add.
- In the Select Users, Computers, or Groups dialog box, enter the name of the object (user or group) that you want to add.
- Click the Check Names button to verify your entry and then click OK. You might have to change the location or use the Advanced button to query for objects. See the dialog box help for more details.
- In the Security dialog box, under Permissions, select the permissions to allow or deny the new user or group.
Execute Methods- Allows methods exported from the WMI classes or instances to be run. Full Write - Allows full read, write, and delete access to all WMI objects, classes, and instances. Partial Write - Allows write access to static WMI objects. Provider Write - Allows write access to objects that are provided by providers. Enable Account - Allows read access to WMI objects. Remote Enable - Allows remote access to the namespace. Read Security - Allows read-only access to WMI security information. Edit Security - Allows read and write access to WMI security information.Notes:
- To open the WMI Control console, click Start, click Run, type wmimgmt.msc, and then click OK.
- You must be an administrator or a member of the Administrators group on the computer you are managing, or have been given appropriate permissions, to perform this task.
- You can set permissions on a remote computer or a local computer.
- To access a remote computer, right-click WMI Control, click Connect to another computer, click Another computer, and then type the name of the computer to which you want to connect. If you are using WMI Control from the Computer Management console, right-click the Computer Management node to connect to the other computer.
- You can connect to the computer as a different user if you have multiple logon names. To connect as another user, click the General tab, click Change, clear the Log on as current user check box, and then type a user name and password.
- On computers running Windows 95, Windows 98, or Windows Millennium Edition, all users have full control locally. Security settings are only relevant for remote connection to a computer running Windows 95, Windows 98, or Windows Millennium Edition.
- You can delete a user's or group's authorization to access WMI services by selecting that user or group and clicking Remove.
Article ID: W15355