Does anyone have any insight into how to set up a least-privilege user for WMI
monitoring of Windows systems? I realize I could get around this by using an
account with admin privileges, but I'd prefer not to do that -- it makes
"selling" this internally harder than I'm willing to overcome.
I've gotten most of the way there, but I'm missing just a last little bit.
Here's what I have so far:
1) I have an unprivileged domain account (wmireader)
2) For each system I want to monitor, I enable WMI access (enable and remote
enable to "Root" and all child namespaces.
3) Account is added to the local groups "Distributed COM Users" and
"Performance Monitor Users" (Windows Server 2003 only)
4) Enable remote access to the "scmanager" service (This is for Windows Server
2003 beyond SP1). This entails adding the following DACL entry:
(A;;CCLCRPRC;;;{SID for wmireader redacted})
5) Added read privileges for eventlog through CustomSD value in registry.
I've only done this for "Application" and "System"
Now, what I've noticed is that when I do this I can connect via WMI, I can get
PerfMon data, I can query the eventlog using the same WQL as is used in
zeneventlog.py, and I can list _most_ services.
However, I can't get all the data for services. I'm missing 'ServiceType',
'StartMode', 'StartName', and 'PathName'. If I change the DACL for a given
service such that wmireader has the same privileges as the "Power Users" group,
I can see all those attributes via wbemtest. But querying on the Zenoss side
doesn't return those attributes.
-------------------- m2f --------------------
Read this topic online here:
http://community.zenoss.com/forums/viewtopic.php?p=24000#24000
-------------------- m2f --------------------
_______________________________________________
zenoss-users mailing list
[email protected]
http://lists.zenoss.org/mailman/listinfo/zenoss-users
