Solved

wmic remote access permission

Posted on 2014-03-20
3
403 Views
Last Modified: 2014-03-24
Hi Experts,

I would like to control who can use wmic against remote computers, ideally i would like to take out the remote access permission for local administrator group on a remote host. I tried to modify the security setting in WMI control mmc but no joy. please help.

Thanks
0
Comment
Question by:nokyplease
  • 2
3 Comments
 
LVL 16

Accepted Solution

by:
gurutc earned 500 total points
Comment Utility
Hi,

To get to the permissions dialog you need to run DComCnfg.exe.

Per Micosoft this is how you add, but also the same works for removing:

The following procedure describes how to manage DCOM remote startup and activation permissions for certain users and groups. If Computer A is connecting remotely to Computer B, you can set these permissions on Computer B to allow a user or group that is not part of the Administrators group on Computer B to execute DCOM startup and activation calls on Computer B.

To grant DCOM remote launch and activation permissions for a user or group

    Click Start, click Run, type DCOMCNFG, and then click OK.
    In the Component Services dialog box, expand Component Services, expand Computers, and then right-click My Computer and click Properties.
    In the My Computer Properties dialog box, click the COM Security tab.
    Under Launch and Activation Permissions, click Edit Limits.
    In the Launch Permission dialog box, follow these steps if your name or your group does not appear in the Groups or user names list:
        In the Launch Permission dialog box, click Add.
        In the Select Users, Computers, or Groups dialog box, add your name and the group in the Enter the object names to select box, and then click OK.
    In the Launch Permission dialog box, select your user and group in the Group or user names box. In the Allow column under Permissions for User, select Remote Launch and select Remote Activation, and then click OK.

The following procedure describes how to grant DCOM remote access permissions for certain users and groups. If Computer A is connecting remotely to Computer B, you can set these permissions on Computer B to allow a user or group that is not part of the Administrators group on Computer B to connect to Computer B.

To grant DCOM remote access permissions

    Click Start, click Run, type DCOMCNFG, and then click OK.
    In the Component Services dialog box, expand Component Services, expand Computers, and then right-click My Computer and click Properties.
    In the My Computer Properties dialog box, click the COM Security tab.
    Under Access Permissions, click Edit Limits.
    In the Access Permission dialog box, select ANONYMOUS LOGON name in the Group or user names box. In the Allow column under Permissions for User, select Remote Access, and then click OK.

Good Luck,
- gurutc
0
 

Author Comment

by:nokyplease
Comment Utility
I have other groups like everyone, performance log users and distributed com users as well as anonymous logon. Can I remove all the remote access of these groups? Will that screw up things in a domain network?
0
 
LVL 16

Assisted Solution

by:gurutc
gurutc earned 500 total points
Comment Utility
I'd take everyone and anonymous out of the remote wmi for sure.  As log as performance log users  and distributed com users have no members you can leave them or remove them.  I think you can remove them without issue though.  

Try it on one PC first to test that it works for your purpose and that it doesn't break anything.

- gurutc
0

Featured Post

Do email signature updates give you a headache?

Constantly trying to correctly format email signatures? Spending all of your time at every user’s desk to make updates? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today!

Join & Write a Comment

OfficeMate Freezes on login or does not load after login credentials are input.
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
In this fifth video of the Xpdf series, we discuss and demonstrate the PDFdetach utility, which is able to list and, more importantly, extract attachments that are embedded in PDF files. It does this via a command line interface, making it suitable …
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now