?
Solved

wmic remote access permission

Posted on 2014-03-20
3
Medium Priority
?
425 Views
Last Modified: 2014-03-24
Hi Experts,

I would like to control who can use wmic against remote computers, ideally i would like to take out the remote access permission for local administrator group on a remote host. I tried to modify the security setting in WMI control mmc but no joy. please help.

Thanks
0
Comment
Question by:nokyplease
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 16

Accepted Solution

by:
gurutc earned 2000 total points
ID: 39941982
Hi,

To get to the permissions dialog you need to run DComCnfg.exe.

Per Micosoft this is how you add, but also the same works for removing:

The following procedure describes how to manage DCOM remote startup and activation permissions for certain users and groups. If Computer A is connecting remotely to Computer B, you can set these permissions on Computer B to allow a user or group that is not part of the Administrators group on Computer B to execute DCOM startup and activation calls on Computer B.

To grant DCOM remote launch and activation permissions for a user or group

    Click Start, click Run, type DCOMCNFG, and then click OK.
    In the Component Services dialog box, expand Component Services, expand Computers, and then right-click My Computer and click Properties.
    In the My Computer Properties dialog box, click the COM Security tab.
    Under Launch and Activation Permissions, click Edit Limits.
    In the Launch Permission dialog box, follow these steps if your name or your group does not appear in the Groups or user names list:
        In the Launch Permission dialog box, click Add.
        In the Select Users, Computers, or Groups dialog box, add your name and the group in the Enter the object names to select box, and then click OK.
    In the Launch Permission dialog box, select your user and group in the Group or user names box. In the Allow column under Permissions for User, select Remote Launch and select Remote Activation, and then click OK.

The following procedure describes how to grant DCOM remote access permissions for certain users and groups. If Computer A is connecting remotely to Computer B, you can set these permissions on Computer B to allow a user or group that is not part of the Administrators group on Computer B to connect to Computer B.

To grant DCOM remote access permissions

    Click Start, click Run, type DCOMCNFG, and then click OK.
    In the Component Services dialog box, expand Component Services, expand Computers, and then right-click My Computer and click Properties.
    In the My Computer Properties dialog box, click the COM Security tab.
    Under Access Permissions, click Edit Limits.
    In the Access Permission dialog box, select ANONYMOUS LOGON name in the Group or user names box. In the Allow column under Permissions for User, select Remote Access, and then click OK.

Good Luck,
- gurutc
0
 

Author Comment

by:nokyplease
ID: 39944431
I have other groups like everyone, performance log users and distributed com users as well as anonymous logon. Can I remove all the remote access of these groups? Will that screw up things in a domain network?
0
 
LVL 16

Assisted Solution

by:gurutc
gurutc earned 2000 total points
ID: 39944943
I'd take everyone and anonymous out of the remote wmi for sure.  As log as performance log users  and distributed com users have no members you can leave them or remove them.  I think you can remove them without issue though.  

Try it on one PC first to test that it works for your purpose and that it doesn't break anything.

- gurutc
0

Featured Post

Video: Liquid Web Managed WordPress Comparisons

If you run run a WordPress, you understand the potential headaches you may face when updating your plugins and themes. Do you choose to update on the fly and risk taking down your site; or do you set up a staging, keep it in sync with your live site and use that to test updates?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A small collection of useful tips and tricks for Windows 10 users that I decided to write as a result of recent questions that were asked and answered at Experts Exchange. Two short video tutorials included. Enjoy..
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…
In this video, viewers are given an introduction to using the Windows 10 Snipping Tool, how to quickly locate it when it's needed and also how make it always available with a single click of a mouse button, by pinning it to the Desktop Task Bar. Int…
Suggested Courses

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question