What are the permissions required for CIMSessions

Question

What are the permissions required for CIMSessions

I need to query some WMI classes on Servers that I do not have permissions. Here is the error I get when I run it.

PS> get-ciminstance -ComputerName test.mydomain.com -ClassName Win32_OperatingSystem
get-ciminstance : Access is denied.
At line:1 char:1
+ get-ciminstance -ComputerName test.mydomain.com -ClassName Win32_Operating ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : PermissionDenied: (root\cimv2:Win32_OperatingSystem:String) [Get-CimInstance], CimException
    + FullyQualifiedErrorId : HRESULT 0x80070005,Microsoft.Management.Infrastructure.CimCmdlets.GetCimInstanceCommand
    + PSComputerName        : test.mydomain.com

Right now server has PowerShell 2, so it uses DCOM but I will get the PowerShell upgraded and configured to allow WSMAN connections.

But what are the permissions that need to be granted to the account?

powershell

asked on Stack Overflow Oct 9, 2013 by

Adil Hindistan

2 Answers

By default, Administrators (local) and Authenticated Users (domain) have at least read rights to the namespace. You need to ensure you can login/authenticate to the server. It's worth mentioning that the Authenticated Users group does not have Remote Enable permission by default.

The Windows OS uses WinRM for CIM cmdlets and the user account needs to be an administrator. WinRM makes a local group called WinRMRemoteWMIUsers_ and gives access to just the Administrators group and WinRMRemoteWMIUsers_. To add a user to that group use the following command:

net localgroup WinRMRemoteWMIUsers__ /add "domain\user"

The abstract answer is simply that you need to be granted Enable Account and Remote Enable permissions to the Namespace to have WMI read rights remotely.

Process to Verify WMI Permissions

Login to the server and launch mmc.exe. Add the WMI snapin and once it loads, right click on WMI Control. When the Properties window opens, click security, expand root and select cimv2. Click the security button and view who is granted access and what access is granted.

Script to Test w/ DCOM

If you want to test using DCOM, or need to because the server OS is too old, use this script:

$Computer = thisbox.domain.com
$CimOption = New-CimSessionOption -Protocol Dcom
$CimSession = New-CimSession -ComputerName $Computer -SessionOption $CimOption

Get-CimInstance -ClassName win32_operatingsystem -CimSession $CimSession

answered on Stack Overflow Oct 9, 2013 by

Colyn1337 • edited Oct 16, 2013 by

Colyn1337

Go to Control Panel > User Accounts > Managae User > New USer , login to new user. Automatically all windows settings will be install then change the airplane mode to on . Setting will reflect on previous user. Enjoy!!

answered on Stack Overflow Feb 16, 2016 by

Arvi Bhatia

User contributions licensed under CC BY-SA 3.0