I need to query some WMI classes on Servers that I do not have permissions. Here is the error I get when I run it.
PS> get-ciminstance -ComputerName test.mydomain.com -ClassName Win32_OperatingSystem
get-ciminstance : Access is denied.
At line:1 char:1
+ get-ciminstance -ComputerName test.mydomain.com -ClassName Win32_Operating ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (root\cimv2:Win32_OperatingSystem:String) [Get-CimInstance], CimException
+ FullyQualifiedErrorId : HRESULT 0x80070005,Microsoft.Management.Infrastructure.CimCmdlets.GetCimInstanceCommand
+ PSComputerName : test.mydomain.com
Right now server has PowerShell 2, so it uses DCOM but I will get the PowerShell upgraded and configured to allow WSMAN connections.
But what are the permissions that need to be granted to the account?
By default, Administrators
(local) and Authenticated Users
(domain) have at least read rights to the namespace. You need to ensure you can login/authenticate to the server. It's worth mentioning that the Authenticated Users
group does not have Remote Enable
permission by default.
The Windows OS uses WinRM for CIM cmdlets and the user account needs to be an administrator
. WinRM makes a local group called WinRMRemoteWMIUsers_
and gives access to just the Administrators
group and WinRMRemoteWMIUsers_
. To add a user to that group use the following command:
net localgroup WinRMRemoteWMIUsers__ /add "domain\user"
The abstract answer is simply that you need to be granted Enable Account
and Remote Enable
permissions to the Namespace
to have WMI read rights remotely.
Process to Verify WMI Permissions
Login to the server and launch mmc.exe. Add the WMI snapin and once it loads, right click on WMI Control. When the Properties window opens, click security, expand root and select cimv2. Click the security button and view who is granted access and what access is granted.
Script to Test w/ DCOM
If you want to test using DCOM, or need to because the server OS is too old, use this script:
$Computer = thisbox.domain.com
$CimOption = New-CimSessionOption -Protocol Dcom
$CimSession = New-CimSession -ComputerName $Computer -SessionOption $CimOption
Get-CimInstance -ClassName win32_operatingsystem -CimSession $CimSession
Go to Control Panel > User Accounts > Managae User > New USer , login to new user. Automatically all windows settings will be install then change the airplane mode to on . Setting will reflect on previous user. Enjoy!!
User contributions licensed under CC BY-SA 3.0