Solved

wmic remote access permission

Posted on 2014-03-20
3
419 Views
Last Modified: 2014-03-24
Hi Experts,

I would like to control who can use wmic against remote computers, ideally i would like to take out the remote access permission for local administrator group on a remote host. I tried to modify the security setting in WMI control mmc but no joy. please help.

Thanks
0
Comment
Question by:nokyplease
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 16

Accepted Solution

by:
gurutc earned 500 total points
ID: 39941982
Hi,

To get to the permissions dialog you need to run DComCnfg.exe.

Per Micosoft this is how you add, but also the same works for removing:

The following procedure describes how to manage DCOM remote startup and activation permissions for certain users and groups. If Computer A is connecting remotely to Computer B, you can set these permissions on Computer B to allow a user or group that is not part of the Administrators group on Computer B to execute DCOM startup and activation calls on Computer B.

To grant DCOM remote launch and activation permissions for a user or group

    Click Start, click Run, type DCOMCNFG, and then click OK.
    In the Component Services dialog box, expand Component Services, expand Computers, and then right-click My Computer and click Properties.
    In the My Computer Properties dialog box, click the COM Security tab.
    Under Launch and Activation Permissions, click Edit Limits.
    In the Launch Permission dialog box, follow these steps if your name or your group does not appear in the Groups or user names list:
        In the Launch Permission dialog box, click Add.
        In the Select Users, Computers, or Groups dialog box, add your name and the group in the Enter the object names to select box, and then click OK.
    In the Launch Permission dialog box, select your user and group in the Group or user names box. In the Allow column under Permissions for User, select Remote Launch and select Remote Activation, and then click OK.

The following procedure describes how to grant DCOM remote access permissions for certain users and groups. If Computer A is connecting remotely to Computer B, you can set these permissions on Computer B to allow a user or group that is not part of the Administrators group on Computer B to connect to Computer B.

To grant DCOM remote access permissions

    Click Start, click Run, type DCOMCNFG, and then click OK.
    In the Component Services dialog box, expand Component Services, expand Computers, and then right-click My Computer and click Properties.
    In the My Computer Properties dialog box, click the COM Security tab.
    Under Access Permissions, click Edit Limits.
    In the Access Permission dialog box, select ANONYMOUS LOGON name in the Group or user names box. In the Allow column under Permissions for User, select Remote Access, and then click OK.

Good Luck,
- gurutc
0
 

Author Comment

by:nokyplease
ID: 39944431
I have other groups like everyone, performance log users and distributed com users as well as anonymous logon. Can I remove all the remote access of these groups? Will that screw up things in a domain network?
0
 
LVL 16

Assisted Solution

by:gurutc
gurutc earned 500 total points
ID: 39944943
I'd take everyone and anonymous out of the remote wmi for sure.  As log as performance log users  and distributed com users have no members you can leave them or remove them.  I think you can remove them without issue though.  

Try it on one PC first to test that it works for your purpose and that it doesn't break anything.

- gurutc
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A quick Powershell script I wrote to find old program installations and check versions of a specific file across the network.
There are many software programs on offer that will claim to magically speed up your computer. The best advice I can give you is to avoid them like the plague, because they will often cause far more problems than they solve. Try some of these "do it…
The viewer will learn how to successfully download and install the SARDU utility on Windows 7, without downloading adware.
In this fourth video of the Xpdf series, we discuss and demonstrate the PDFinfo utility, which retrieves the contents of a PDF's Info Dictionary, as well as some other information, including the page count. We show how to isolate the page count in a…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question