I work in an active directory environment with many servers. I have a user account that I would like to use to check the status of other servers, without giving this account full administrative access to these other servers. Specifically, I want to check the drive space on these servers, and I'd like to do it with Powershell.
I have executed Enable-PSRemoting on the target server, and I can successfully invoke Get-PSDrive on them remotely using administrator credentials. The results are returned almost immediately, and include information about the used / free space on all drives.
However, when I run the same command (Invoke-Command -computer remoteserver1 {Get-PSDrive -PSProvider FileSystem}) as the non-administrative user, the results come back very slowly (takes about 30 seconds), and none of the drives have any information about their used / free space.
What I have done so far:
- I have added the non-administrative user account to the Remote Management Users group on the target server.
- Edited SDDL for scmanager (on the target server) to add the same DiscretionaryACL for Remote Management Users as Built-in Administrators have.
- Per this post, I have granted this user WMI permissions in wmimgmt.exe > WIM Control (Local) > (right click) > Properties > Security tab > Expand 'Root' > click on SECURITY node > click 'Security' button > added non-admin user with full access.
- Added user to the Distributed COM Users group on the target server.
Some also suggested trying Invoke-Command -computer remoteserver1 {Get-WmiObject -Class Win32_MappedLogicalDisk} to troubleshoot, but it comes back 'Access is denied.' I believe if I could get Get-WmiObject working successfully for this limited user, it would solve my issue.
What should I do to get this limited user account the access they need to check drive space on other servers? without giving the account admin rights, and preferably without having to map and unmap any drives?
Best Answer
To allow a non-administrative account to execute the necessary Powershell commands to return information about drive space on a remote server, complete the following steps (as a server/domain admin) on the target server.
Enable-PSRemoting- Google this if you need further explanation.Click Start > Run..., type
lusrmgr.mscand click OKClick on the Groups folder.
Double-click on Remote Management Users group, and add the non-admin user account. Click OK.
Double-click on Distributed COM Users group, and add the non-admin user account. Click OK.
Configure DCOM security settings
Click Start > Run..., type
dcomcnfgand click OKDrill down into the "Component Services" tree until you get to "My Computer". Right-click "My Computer" to bring up the menu, and click Properties.
Click the COM Security tab.
Click Edit Limits in the "Access Permissions" section. Make sure "Distributed COM Users" group has boxes checked for both Local Access and Remote Access. Click OK.
Click Edit Limits in the "Launch and Activation Permissions" section. Make sure all four 'Allow' boxes are checked for "Distributed COM Users" group. Click OK.
Configure WMI Control security settings.
Click Start > Run..., type
wmimgmt.mscand click OK.Right-click WMI Control (Local) to bring up the menu, and click Properties.
Click on the Security tab, then click Root, and click the Security button at the bottom of the dialog.
Click Add... and add the local Distributed COM Users group.
Click Advanced.
Highlight the row with Distributed COM Users in it and click 'Edit' button.
From the "Applies to" drop-down list, select "This namespace and subnamespaces"
Under the Allow column check "Execute Methods", "Enable Account", and "Remote Enable"
Click OK to exit out of dialog windows.
(26.) Restart the WinRM (Windows Remote Management) service
Please comment below if you have any feedback about security concerns, or how to improve least privilege access.
Hat tip to this link for guidance: https://helpdesk.kaseya.com/hc/en-gb/articles/229043428-Configuring-a-regular-non-admin-user-account-for-WMI-monitoring