We currently have SolarWinds set up to poll our servers using a domain account with administrative permissions on the target machines. We want to move towards a least-privilege approach for security reasons and reduce the use of high-privileged accounts wherever possible. Specifically, we are looking for guidance on: * Least-Privilege WMI Polling* Can SolarWinds reliably poll servers (CPU, memory, disk, event logs) using a non-admin domain account? * What are the exact permissions required on the target servers for this account to work agentlessly? * DCOM / WMI Permissions via GPO* We are exploring using GPO-deployed scripts to grant the account Enable, Remote Enable, and Read access on WMI namespaces, and the necessary DCOM Remote Launch/Activation/Access rights. * Is this considered best practice for agentless polling in large environments? * Agent-Based Monitoring* Are there situations where switching to SolarWinds agents is recommended because least-privilege WMI polling is not sufficient? * Other Ideas / Recommendations* Are there alternative approaches to reduce privileged access while maintaining full monitoring coverage? * Any lessons learned from similar environments would be appreciated. Our goal is to eliminate the need for a domain admin or overly privileged account on our servers while maintaining reliable SolarWinds monitoring. Thanks in advance for any guidance or examples of best practice!

Community
- Command Central
- MVP Program
- Monthly Mission
- Blogs
- Groups
- Events
- Media Vault
Products
- Observability
- Network Management
- Application Management
- IT Security
- IT Service Management
- System Management
- Database Management
Content Exchange
- SolarWinds Platform
- Server & Application Monitor
- Database Performance Analyzer
- Server Configuration Monitor
- Network Performance Monitor
- Network Configuration Manager
- SQL Sentry
- Web Help Desk
Free Tools & Trials

Least-Privilege WMI Polling vs. Admin Account – Need for Agent-Based Deployment?

We currently have SolarWinds set up to poll our servers using a domain account with administrative permissions on the target machines. We want to move towards a least-privilege approach for security reasons and reduce the use of high-privileged accounts wherever possible.

Specifically, we are looking for guidance on:

Least-Privilege WMI Polling
- Can SolarWinds reliably poll servers (CPU, memory, disk, event logs) using a non-admin domain account?
- What are the exact permissions required on the target servers for this account to work agentlessly?
DCOM / WMI Permissions via GPO
- We are exploring using GPO-deployed scripts to grant the account Enable, Remote Enable, and Read access on WMI namespaces, and the necessary DCOM Remote Launch/Activation/Access rights.
- Is this considered best practice for agentless polling in large environments?
Agent-Based Monitoring
- Are there situations where switching to SolarWinds agents is recommended because least-privilege WMI polling is not sufficient?
Other Ideas / Recommendations
- Are there alternative approaches to reduce privileged access while maintaining full monitoring coverage?
- Any lessons learned from similar environments would be appreciated.

Our goal is to eliminate the need for a domain admin or overly privileged account on our servers while maintaining reliable SolarWinds monitoring.

Thanks in advance for any guidance or examples of best practice!

Find more posts tagged with

orion

network_management

Accepted answers

All comments

NVSteven

Some of the restrictions on WMI are due to Microsoft. I would be interested in what you find out in your testing of the non-Admin WMI. SolarWinds doesn't know the permissions on the account just if it works.

I currently use agents, because the lack of SolarWinds to use rotating passwords for accounts. Depending on complexity and speed of network, agents add the additional issues of failing connections and causing alerting on Windows nodes that are actually up.

Lofstrand

@NVSteven You could make use of gMSA accounts, that way you don't have to bother about passwords:

Use gMSA accounts for Windows polling

@ajbmatt There are attempts to use WMI without local admin. Some say it works. See more here:

Has Anybody Ever Gotten WMI to Work without Admin credentials - THWACK

As normally WMI requires local admin privs to work, an account with local administrative privs are required. Does not have to be domain admin for monitoring normal servers. But, for the domain controllers, being local admin on them means being domain admin. Therefor I would recommend using agent on DC's at least.

NVSteven

It is a recent SW feature that still needs to include some of the unsupported features before we would switch to it.