Hello! In most cases we use Domain Admin account for any WMI sensor, is there a way to set individual account only for PRTG WMI access WITHOUT Domain or Local Administrative Rights? I found several articles but all of them are old. Or just no news here?
WMI access without Administrative Rights.
Votes:
1
7 Replies
Votes:
1
Just no news here - the permissions required for WMI haven't changed that much :)
PRTG Scheduler |
PRTGapi |
Feature Requests |
WMI Issues |
SNMP Issues
Kind regards,
Stephan Linke, Tech Support Team
Votes:
0
So if conclude: we can FULLY monitor WMI only with Administrators, because it can't be separated from other OS components? And if we want to do it it will be hard work with almost no result at the end?
Votes:
0
Well you could use a non-administrative user, WMI should work properly - apart from WMI Service Sensors, which do require either administrative permissions or ACLs configured accordingly. Carbon is very nice for this:
Grant-ServicePermission -Name <service name> -Identity "<domain>\<user>" -QueryStatus -Interrogate -Start -Stop
Note that this has to be configured on a per-service base and may require some tinkering. Eventually, this will just allow you to use non-administrative user accounts, which might be a necessity for some.
PRTG Scheduler |
PRTGapi |
Feature Requests |
WMI Issues |
SNMP Issues
Kind regards,
Stephan Linke, Tech Support Team
Votes:
0
Thank you Stephan, can you give a link to actual article with WMI permission settings?
Votes:
1
There you go :)
PRTG Scheduler |
PRTGapi |
Feature Requests |
WMI Issues |
SNMP Issues
Kind regards,
Stephan Linke, Tech Support Team
Votes:
0
Hellow, could you explane to me more deployed what shall i do to get this permitions for non-administrative accout. I need to monitor AD replication, i downloaded the Carbon tool, цhats next? Where i should install it - on my personal computer or on DC? Grant-ServicePermission -Name <service name> what it shuold be for AD replication?
Votes:
1
Hello Alexandr,
Thanks for getting back to us! The Carbon tool mentioned by my colleague is for rolling out permissions to the users to allow the monitoring of the service status. If you run the command in a PowerShell on the target host, which you want to monitor, the ACL to allow access to the service will be changed there, via this command.
If a client, like the PRTG Probe Software then tries to authenticate against the DC, the DC will first allow the access to the host by confirming the credentials and the target device will lookup if the local ACL exists to grant the access to the particular service status metric.
Testing the changes via the WMI Tester from the host on which the PRTG Probe got installed is recommended though.
Kind regards,
Felix Saure, Tech Support Team
Created on Oct 18, 2021 8:09:51 AM by
Felix Saure [Paessler Support]
Last change on Oct 18, 2021 8:36:38 AM by
Felix Saure [Paessler Support]
Add comment