Submit a ticketCall us

Have You Auto Renewed? If not, you're missing out.
The SolarWinds Renewal Program comes with a host of benefits including the most recent product updates, 24/7 technical support, virtual instructor-led training and more. Experience all of this with the convenience of Auto Renewal, and never worry about missing any of these great benefits. Learn More.

Home > Success Center > Server & Application Monitor (SAM) > How to create a non-administrator user for SAM polling

How to create a non-administrator user for SAM polling

Table of contents
No headers

This article is for educational purposes only. SolarWinds Technical Support cannot assist with the creation of a least privileged Windows user account, nor the assignment of permissions to such a user account. For assistance configuring Microsoft Windows’ user account permissions, please refer to Microsoft Technical Support at: http://support.microsoft.com/contactus/).  (© 2016 Microsoft, available at https://support.microsoft.com, obtained on June 20, 2016.)

 

For troubleshooting purposes, you may be asked by SolarWinds support to utilize a local or domain administrator account solely to eliminate possible permissions related issues as the cause of polling errors.

 

These are the requirements to monitor performance counters using WMI. If you want to monitor Performance counters using RPC, refer to this KB article - User Permissions for Windows Performance Counters over RPC

 

  1. Create a regular user on the target machine (for example, SAMuser).
  2. Add this user to the Performance Monitor Users and Distributed COM Users groups.
  3. In the WMI management console, give this user the following permissions:
    • Add the user to the Authenticated Users off of Root.
    • Allow Enable Account and Remote Enable permissions.
  4. Start the DCOM configuration console and grant the following permissions:
    • Under Launch and Activate Permissions, select the APMuser and grant Remote Launch and Remote Activation permissions. (If the APMuser is missing, you must first add this user.)
    • Under Access Permissions, select the APMuser and grant Remote Access permissions. (If the APMuser is missing, you must first add this user.)
  5. To allow the user created in step 1 (e.g., SAMuser) to access the Win32_Service object remotely, you must grant additional permissions to the authenticated user:
    1. In a command window, type: Sc sdshow scmanager.
      The output should look like this:
      D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)
    2. Change the first section from (A;;CC;;;AU) to (A;;CCLCRPRC;;;AU). This change adds the following permissions to the authenticated user:
      • LC = ADS_RIGHT_ACTRL_DS_LIST
      • RP = ADS_RIGHT_DS_READ_PROP
      • RC = READ_CONTROL
    3. Set the security permission:
      Sc sdset scmanager D:(A;;CCLCRPRC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)
      Note: This applies to both machine access and launch and activation.
  6. Verify that you have started the Remote Registry service. (At this point, you should have a non-admin user that  is allowed to monitor most of the services, but not all of them.)
  7. Not all services are accessible by authenticated users through remote connection. The last step to enable non-administrator user to be able monitor them is to adapt the non-admin user's security permissions on the remote machine. To do so:
    1. Log on to the remote machine.
    2. In a command window, type: 
      Sc sdshow <servicename/>
      The output should look like this:
      D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPLOCRRC;;;IU)(A;;CCLCSWRPLOCRRC;;;SU)(A;;CR;;;AU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
    3. To have more control over, this copy this string into  a text editor such as Notepad.
    4. In the command window, type:
      whoami /USER /FO LIST
      User information is returned, including the user name and SID.
    5. In the text editor, use this SID to construct a new permission section (where x = the SID):
      (A;;LC;;;S-x-x-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-xxx)
    6. Add it to the service permission string you copied earlier into D: section:
      D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPLOCRRC;;;IU)(A;;CCLCSWRPLOCRRC;;;SU)(A;;CR;;;AU)(A;;LC;;;S-x-x-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-xxx)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
  8. Enter the following into the command window:
    Sc sdset  <servicename> D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPLOCRRC;;;IU)(A;;CCLCSWRPLOCRRC;;;SU)(A;;CR;;;AU)(A;;LC;;;S-x-x-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-xxx)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
    Note: The proper syntax is “sc sdset <service> <security>” and you should run this command for each service that is not affected by the previous steps.

 

If you want to monitor Performance counters using RPC, refer to this KB article. If you want to use WMI, refer to the following steps:

1.  Create a regular user on the target machine (for example: SAMUser).
2.  Add this user into the Performance Monitor Users and Distributed COM Users groups.a1.png
 

 

3.  Start the WMI management console. Right click on the WMI Control (local) and set permissions for the SAMUser you just created.

2.png

4.  In the properties dialog box, click the Security tab.
5.  Select Root in the namespace tree and then click Security.

a3.png

6.  The Security for Root dialog box will appear. Click Advanced.

4.png

7.  In Advance Security Setting for Root, click Add. Add the SAMUser and grant Enable Account and Remote Enable permissions.

5.png

6.png
7.png

8.  Start the DCOM configuration console by typing dcomcnfg through the Run application in the Start menu.
9.  Expand Component Service.
10. Expand Computers and right-click My Computer.
11. Click Properties.

8.png

12. Under Launch and Activate Permissions, click Edit Limits.
13. In the Launch and Activate Permission dialog, select APMUser and allow him Remote launch and Remote Activation. (If the user is missing, add him first).
14. In My Computer Properties, click Edit Limits under the Access Permissions button.
15. In the Access Permission dialog, select APMUser and allow him Remote Access. (If the user is missing, add him first).

9.png10.png

16. To allow SAMUser access to the Win32_Service object remotely, you need to give some additional permissions to the authenticated user. To do so, refer to the following steps:      a. In a command window, type: Sc sdshow scmanager.
        b
. The output should look like this:
          D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)
       
c.  You need change the first section from (A;;CC;;;AU) to (A;;CCLCRPRC;;;AU). This modification will add to the authenticated user the following permissions:
 

  1.  
    1. LC = ADS_RIGHT_ACTRL_DS_LIST
    2. RP = ADS_RIGHT_DS_READ_PROP
    3. RC = READ_CONTROL

        d. Now set the security permission: Sc sdset scmanager D:(A;;CCLCRPRC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD).
Note: This applies to both machine access and launch and activation.

a11.png

17.
Check to see if you have started the Remote Registry service. (At this point, you should have a non admin user which is allowed to monitor most of the services, but not all of them.)

18. Not all services are accessible by authenticated users through remote connection. The last step to enable non-administrator user to be able monitor them is to adapt their security permissions as well. To do so, refer to the following steps:

  1. Log on to the remote machine where you want to adapt security permissions for the non-administrator account.
  2. In a command window, type: Sc sdshow <servicename/>
  3. The output should look like this: D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPLOCRRC;;;IU)(A;;CCLCSWRPLOCRRC;;;SU)(A;;CR;;;AU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
  4. To have more control over, this copy this string into Notepad.
  5. Back in the command window, type whoami /USER /FO LIST
  6. You should get APMUser SID

    USER INFORMATION

 

User Name: xxxxxx-vm\APMUser
SID: S-x-x-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-xxx

  1. Use this SID to construct a new permission section (A;;LC;;;S-x-x-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-xxx)
  2. Add it to the service permission string you copied earlier into D: section.
    D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPLOCRRC;;;IU)(A;;CCLCSWRPLOCRRC;;;SU)(A;;CR;;;AU)(A;;LC;;;S-x-x-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-xxx)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

      3.  Now type into the command window:
Sc sdset  <servicename> D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPLOCRRC;;;IU)(A;;CCLCSWRPLOCRRC;;;SU)(A;;CR;;;AU)(A;;LC;;;S-x-x-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-xxx)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
dos.png
 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Note: The proper syntax is “sc sdset <service> <security>” and you should run this command for each service which is not affected by steps 1-17.

 

Screenshots property of © 2016 Microsoft.

 

Disclaimer: Please note, any content posted herein is provided as a suggestion or recommendation to you for your internal use. This is not part of the SolarWinds software or documentation that you purchased from SolarWinds, and the information set forth herein may come from third parties. Your organization should internally review and assess to what extent, if any, such custom scripts or recommendations will be incorporated into your environment.  You elect to use third party content at your own risk, and you will be solely responsible for the incorporation of the same, if any. 

 

 

Last modified

Tags

Classifications

Public