What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general.

Learn more

PRTG Network Monitor

Intuitive to Use. Easy to manage.
More than 500,000 users rely on Paessler PRTG every day. Find out how you can reduce cost, increase QoS and ease planning, as well.

Free Download

Top Tags


View all Tags

WMI Permissions for a Local User

Votes:

0

Hi,

I assume barely anyone has their service account as a domain admin - but has a domain user with WMI permissions that does the work for that.

I wonder how has everyone done that, just created local user accounts on every server and assigned permissions on every server? Or have you all made a local administrator account and just left it that way, or perhaps made a domain user account and assigned it WMI permissions on the local remote computer? And if you have done the last option, HOW have you done it?

I can't get it to work, I have tried almost everything. I'm just not able to assign local permissions to a domain user account because the domain user does simply not appear in the "Local Users and Groups" tab where all the other users are in.

I hope anyone has a proper solution for this, however, I assume there is someone because I can't be the only with this problem, right?

Really appreciate the effort, and I wish everyone the best for the new year of 2019.

Regards,

Sven

permissions user wmi

Created on Dec 31, 2018 10:00:40 AM



Best Answer

Accepted Answer

Votes:

0

Created on Jan 17, 2019 12:29:17 PM



3 Replies

Votes:

3

We have created DL-LOCALADMIN-"SERVERNAME" groups for each individual server with powershell. I then created one GG-LOCALADMIN-ALLSERVERS group which holds all DL-LOCALADMIN groups as member off, in the members section of the GG group I place the PRTG service account.

This way the PRTG service account is localadmin on all servers and able to query the machine through WMI.

The powershell script I uses it this:

$ServerName = ""
$OU = ""
New-ADGroup –name “GG-LOCALADMIN-$ServerName” –path $OU -GroupCategory Security -GroupScope Global
New-ADGroup –name “DL-LOCALADMIN-$ServerName” –path $OU -GroupCategory Security -GroupScope DomainLocal
Add-ADGroupMember -Identity “DL-LOCALADMIN-$ServerName” -Members “GG-LOCALADMIN-$ServerName”
Add-ADGroupMember -Identity “DL-LOCALADMIN-$ServerName” -Members “GG-LOCALADMIN-ALLSERVERS”
Invoke-Command -Computername $ServerName -ScriptBlock { Add-LocalGroupMember -Group "Administrators" -Member "DL-LOCALADMIN-$ServerName"}

This script creates a GG-LOCALADMIN group and a DL-LOCALADMIN group for every server, it then makes the DL-LOCALADMIN group member of the GG-LOCALADMIN-ALLSERVERS group, lastly it invokes a remote command to add the DL-LOCALADMIN group to the local administrators group.

I follow AGDLP or UGLY principle.

Alternatively you can throw your PRTG service account in the domain group "Administrators" (not Domain Administrators!!!) which grants the account local administrator privileges but not domain administrator privileges. Although I dislike the fact of using built-in groups and just have control over which accounts has permissions on which machine.

Created on Jan 2, 2019 1:15:29 PM

Last change on Jan 2, 2019 2:22:40 PM by  Erhard Mikulik [Paessler Support]



Votes:

0

@Rens, thanks for your reply. I thought about this as well, however, it's almost the same principle. Next to that - how are you monitoring your Domain Controller?

Created on Jan 2, 2019 2:22:24 PM



Accepted Answer

Votes:

0

Created on Jan 17, 2019 12:29:17 PM




Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.