Friday, June 13, 2008

Minimal rights to remotely monitor performance by WMI

I tried to write a vbscript to monitor several memory performance counters on some Windows 2003 domain member servers, and send me an email if any counter is greater or less than the threshold. The script itself is simple but I don't want to assign Administrators permission to the service account which schedules and runs this script. So below are the minimal rights I found to meet this requirements,
1. I created an AD group, mydomain\Performance Monitor Users, and then add the service account to the group.
2. To monitor performance locally, you just need to add the AD group to the built-in local group, Performance Monitor Users, on the servers to be monitored, e.g. mycomputer1.
3. To remotely access the performance counters by WMI, you must have remote permissions for DCOM and WMI namespaces. Microsoft has an article to explain it in detail ( Below is a straightforward implementation.
3.1 Add "mydomain\Performance Monitor Users" to the built-in local group, Distributed COM Users, on mycomputer1.
3.2 On mycomputer1, open Computer Management console, expand the Services and Applications tree, double-click the WMI Control, right-click the WMI Control icon, choose Properties, and then select the Security tab. Here you can see all the namespaces. Usually you just need to grant Enable Account and Remote Enable permissions of Root\CIMV2 to mydomain\Performance Monitor Users.
3.3 The default permission is set as This namespace only. But my Windows 2003 SP1 server can only display the Root namespace, not any of its subnamespaces. In such a case, I have to configure the advanced security permissions to be This namespace and all subnamespaces.
3.4 All the membership and permissions on mycomputer1 are set for "mydomain\Performance Monitor Users". By this way I can easily control which user account in the AD group will have the permissions described in this article. If you set the WMI remote access for a local user account or group, e.g. Performance Monitor Users, there might be someone else adding other user accounts to Performance Monitor Users later to obtain more rights. It could be a security hole and nightmare if you've got many member servers in your domain.
4. In this last step, I scheduled a task to run the script on a central server to collect performance data, but it could not be started! The reason is that "mydomain\Performance Monitor Users" doesn't have Read and Execute permission for cmd.exe. After assigning this permission to both cmd.exe and the script file, my script is running perfectly.