Problem rights Win32_Service
Hello,
I do Windows monitoring via WMI. I have no problem as long as I log a user with admin (local or domain). For obvious security reasons, I would like to create a non-admin user could only read the attributes of WMI classes. So I created this user, and I assigned the necessary rights via 'wmimgmt' and 'dcomcfng' on the Windows server.
I use the tool wmic (Linux utility) that works very well. Here is the syntax I use:
Quote:
wmic-U domain / useradmin% password / / 192.168.1.1 "select * from Win32_Service"
No problems, everything works. The idea is to go like this:
Quote:
wmic-U domain / non-user-admin% password / / 192.168.1.1 "select * from Win32_Service"
Of course this does not work properly
I said that I can recover some instances of classes in non-admin, for example:
Quote:
wmic-U domain / non-user-admin% password / / 192.168.1.1 "select * from Win32_Process"
returns the values expected.
Leafing on msdn read I thought that for some classes, the user should have the privilege "SC_MANAGER_CONNECT to" enabled. I have a little hard to understand because it seems that any authenticated user have this privilege (or so I misunderstood ...).
In case I misunderstood, how to assign a user that right?
Thank you for your help..
Re: Problem rights Win32_Service
You can have a track overhere:
http://msdn.microsoft.com/en-us/libr...81(VS.85).aspx
http://support.microsoft.com/kb/179249
A security descriptor is associated with the SCM. The DACL associated with the SCM identifies the users and groups allowed or denied access to it. When a process attempts to obtain a handle to the SCM, Windows NT Security determines whether or not the process has the requested access. The OpenSCManager API is used to obtain a handle to the SCM. If the user is granted the requested access to the SCM, the system returns a valid handle. If the request is denied, NULL is returned and the error code will be number 5, "Access is denied" (ERROR_ACCESS_DENIED).
Re: Problem rights Win32_Service
Hello,
thank you for your reply.
I had already watched a few of these two links, but found nothing except the famous
Quote:
User or Group | Access granted
-------------------------------------------------- ---------------
- Authenticated Users | SC_MANAGER_CONNECT --
(in passing the automatic translation of Microsoft is not top: s)
I also find it on another site:
Quote:
SC_MANAGER_CONNECT the flag is placed by default
I know what to do anymore, I see no or modify this flag (which is supposed to be placed by default) for a user ....
Re: Problem rights Win32_Service
There is one thing I do, are you on Linux or Windows?
Your solution is dedicated to the Windows platform?
Re: Problem rights Win32_Service
So actually I'm Newbie (therefore Linux) as a platform for monitoring.
I do WQL query WMI from a client that runs under Linux (Ubuntu).
This customer is wmic (the syntax is given in the first post).
I said that the result is the same if I use remote wbemtest.exe in with my non-admin user:
Quote: Number: 0x80041001
Facility: WMI
Description: Generic failure)
therefore it is a rights issue. If I spend my user in the admin group, the application works fine (with wbemtest and wmic with my client for Linux).
To complete a little, to get to class without being Win32_PerfRawData_NTDS_NTDS admin, I add my user in group "Performance Monitor User. So I try to play a little on the panel "Authentificated Users" but without success (lack of Windows OS).
Thanks for your interest in my problem.