Community
- Command Central
- MVP Program
- Monthly Mission
- Blogs
- Groups
- Events
- Media Vault
Products
- Observability
- Network Management
- Application Management
- IT Security
- IT Service Management
- System Management
- Database Management
Content Exchange
- SolarWinds Platform
- Server & Application Monitor
- Database Performance Analyzer
- Server Configuration Monitor
- Network Performance Monitor
- Network Configuration Manager
- SQL Sentry
- Web Help Desk
Free Tools & Trials
Store

Permissions Issue

Hello, I hope someone here has run into this issue before.

I am trying to get the APM working WITHOUT adding a service account to the Local Admins group. We are trying to remain very granular with our security and want to have the APM work with a service account that has WMI read access.

Here is what I've done so far.

1. Created an AD Service Account

2. Added said Service Account to WMI Control (Right click WMI Control, Security Tab, Select ROOT, Click Security Button, Add Service Account, Checkbox "Enable Account, Remote Enable, Read Security", Click Advanced Button, Select Service Account, Edit Button, Apply to "This namespace and subnamespaces", Checkbox "Apply these permissions to objects and/or containers within this container only"

3. Created APM Credentials within Orion

4. Apply Windows Server 2003-2008 template to server

I thought it should be that easy but it isn't, at least not in my situation. Whenever I test the APM, I get ACCESS DENIED. If I add the Service Account to the local admins account, the APM works fine.

I don't want to have my service account in the local admins group, I want the service account to ONLY have read access to WMI. Has anyone done this?

Thanks for your assistance.

Zach

NOTE: I have followed the WMI troubleshooting guide and it says that I have to have the account in the local admins group *but* a colleague of mine has the APM working without his service account being in the local admins group. I have setup my environment the same as his but I am having issues and he is not.

Find more posts tagged with

apm_wmi_win32_version_security_permissions_account_read-only

Accepted answers

RogerWong

The author claims this was the minimum permission set that let him use WMI with a non-admin Windows account in his monitoring environment. I hope it works for you too.

All comments

jiri.tomek

Hello Zach,
have you tried WMI access using that account remotely using "wbemtest" tool? Is it working?

How exactly do you use that service account? Do you use it as APM credentials assigned to Windows Server 2003-2008 template or do you have SolarWinds services running under that account?

zhollett

Thanks for the reply Jiri,

I have tried using wbemtest to access the remote computer and that only works when I add the account to the local admins account.

I dont think this is a problem with Orion, Its me, I'm doing it wrong. I dont yet know how to get a service account read only access to WMI without adding it to the local admins group.

Any assistance would be appreciated.

RogerWong

The author claims this was the minimum permission set that let him use WMI with a non-admin Windows account in his monitoring environment. I hope it works for you too.

zhollett

Nice find Roger.

I had a look thru the thread and seems reasonable enough. I think my environment is a bit more granular than the environment posted by jeremiah. Using the rights supplied in his thread, I was able to get *some* WMI, which means I was doing it wrong, but now I have the unfortunate task of finding out the difference between Admin rights and all of the specific rights required to allow Orion read access to everything.

I am starting to think that its going to be simpler to just have the monitoring account in the local admins.