This article is for educational purposes only. SolarWinds Technical Support cannot assist with the creation of a least privileged Windows user account, nor the assignment of permissions to such a user account. For assistance configuring Microsoft Windows’ user account permissions, please refer to Microsoft Technical Support at: http://support.microsoft.com/contactus/). (© 2016 Microsoft, available at https://support.microsoft.com, obtained on June 20, 2016.)
For troubleshooting purposes, you may be asked by SolarWinds support to utilize a local or domain administrator account solely to eliminate possible permissions related issues as the cause of polling errors.
These are the requirements to monitor performance counters using WMI. If you want to monitor Performance counters using RPC, refer to this KB article - User Permissions for Windows Performance Counters over RPC.
If you want to monitor Performance counters using RPC, refer to this KB article. If you want to use WMI, refer to the following steps:
1. Create a regular user on the target machine (for example: SAMUser).
2. Add this user into the Performance Monitor Users and Distributed COM Users groups.
3. Start the WMI management console. Right click on the WMI Control (local) and set permissions for the SAMUser you just created.
4. In the properties dialog box, click the Security tab.
5. Select Root in the namespace tree and then click Security.
6. The Security for Root dialog box will appear. Click Advanced.
7. In Advance Security Setting for Root, click Add. Add the SAMUser and grant Enable Account and Remote Enable permissions.
8. Start the DCOM configuration console by typing dcomcnfg through the Run application in the Start menu.
9. Expand Component Service.
10. Expand Computers and right-click My Computer.
11. Click Properties.
12. Under Launch and Activate Permissions, click Edit Limits.
13. In the Launch and Activate Permission dialog, select APMUser and allow him Remote launch and Remote Activation. (If the user is missing, add him first).
14. In My Computer Properties, click Edit Limits under the Access Permissions button.
15. In the Access Permission dialog, select APMUser and allow him Remote Access. (If the user is missing, add him first).
16. To allow SAMUser access to the Win32_Service object remotely, you need to give some additional permissions to the authenticated user. To do so, refer to the following steps: a. In a command window, type: Sc sdshow scmanager.
b. The output should look like this:
c. You need change the first section from (A;;CC;;;AU) to (A;;CCLCRPRC;;;AU). This modification will add to the authenticated user the following permissions:
d. Now set the security permission: Sc sdset scmanager D:(A;;CCLCRPRC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD).
Note: This applies to both machine access and launch and activation.
17. Check to see if you have started the Remote Registry service. (At this point, you should have a non admin user which is allowed to monitor most of the services, but not all of them.)
18. Not all services are accessible by authenticated users through remote connection. The last step to enable non-administrator user to be able monitor them is to adapt their security permissions as well. To do so, refer to the following steps:
User Name: xxxxxx-vm\APMUser
3. Now type into the command window:
Sc sdset <servicename> D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPLOCRRC;;;IU)(A;;CCLCSWRPLOCRRC;;;SU)(A;;CR;;;AU)(A;;LC;;;S-x-x-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-xxx)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
Note: The proper syntax is “sc sdset <service> <security>” and you should run this command for each service which is not affected by steps 1-17.
Screenshots property of © 2016 Microsoft.
Disclaimer: Please note, any content posted herein is provided as a suggestion or recommendation to you for your internal use. This is not part of the SolarWinds software or documentation that you purchased from SolarWinds, and the information set forth herein may come from third parties. Your organization should internally review and assess to what extent, if any, such custom scripts or recommendations will be incorporated into your environment. You elect to use third party content at your own risk, and you will be solely responsible for the incorporation of the same, if any.