Script Tips
Straight Dope on WMI Security
Getting past the dual security when you connect to WMI on remote computer.
This week, I want to briefly cover some often-confusing parts about Windows Management Instrumentation (WMI) security.
Keep in mind that when you connect to WMI on a remote computer, you’re really having two security checks performed against you. For example, inspect the following code:
Set oWMI = GetObject("winmgmts://server2")
Set oOS = oWMI.ExecQuery("SELECT * FROM Win32_OperatingSystem")
The first security check occurs when your computer connects to the WMI service on Server2; in Windows Server 2003, for example, only a small subset of accounts are permitted to connect to WMI at all. As written, this script will connect using the user credentials that you’re currently logged in with (unless you run the script using alternate credentials, by utilizing Runas, for example).
If you’re just retrieving information, then permission to connect to WMI is usually sufficient. But if you’re trying to do something, you may need additional permissions. For example:
Set oWMI = GetObject("winmgmts://server2")
Set oOS = oWMI.ExecQuery("SELECT * FROM Win32_OperatingSystem")
oOS.Reboot
Now you’ll encounter a second security check, which makes sure you have permission to do the request operation (rebooting the remote server). It’s possible to configure WMI so that, for example, members of Domain Users can connect and query information. Normally, however, servers won’t allow Domain Users to restart the server. So it’s possible to run a script like this one, have it connect to WMI successfully, but fail due to an additional security check by the operating system.
In order for remote WMI scripts to work, the account running the script must have permission to connect to (and manipulate, if necessary) WMI, as well as have whatever underlying operating system permissions are required to perform the necessary task. This double-whammy of security can sometimes be confusing, but if you keep it in mind as you’re writing WMI scripts, you’ll be able to avoid a number of potential errors.
If you want to try this out, we've provided a script that inventories service pack installations on client computers. You can view the script by clicking here.
About the Author
Don Jones is a multiple-year recipient of Microsoft’s MVP Award, and is Curriculum Director for IT Pro Content for video training company Pluralsight. Don is also a co-founder and President of PowerShell.org, a community dedicated to Microsoft’s Windows PowerShell technology. Don has more than two decades of experience in the IT industry, and specializes in the Microsoft business technology platform. He’s the author of more than 50 technology books, an accomplished IT journalist, and a sought-after speaker and instructor at conferences worldwide. Reach Don on Twitter at @concentratedDon, or on Facebook at Facebook.com/ConcentratedDon.