Solved

wmic remote access permission

Posted on 2014-03-20
3
410 Views
Last Modified: 2014-03-24
Hi Experts,

I would like to control who can use wmic against remote computers, ideally i would like to take out the remote access permission for local administrator group on a remote host. I tried to modify the security setting in WMI control mmc but no joy. please help.

Thanks
0
Comment
Question by:nokyplease
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 16

Accepted Solution

by:
gurutc earned 500 total points
ID: 39941982
Hi,

To get to the permissions dialog you need to run DComCnfg.exe.

Per Micosoft this is how you add, but also the same works for removing:

The following procedure describes how to manage DCOM remote startup and activation permissions for certain users and groups. If Computer A is connecting remotely to Computer B, you can set these permissions on Computer B to allow a user or group that is not part of the Administrators group on Computer B to execute DCOM startup and activation calls on Computer B.

To grant DCOM remote launch and activation permissions for a user or group

    Click Start, click Run, type DCOMCNFG, and then click OK.
    In the Component Services dialog box, expand Component Services, expand Computers, and then right-click My Computer and click Properties.
    In the My Computer Properties dialog box, click the COM Security tab.
    Under Launch and Activation Permissions, click Edit Limits.
    In the Launch Permission dialog box, follow these steps if your name or your group does not appear in the Groups or user names list:
        In the Launch Permission dialog box, click Add.
        In the Select Users, Computers, or Groups dialog box, add your name and the group in the Enter the object names to select box, and then click OK.
    In the Launch Permission dialog box, select your user and group in the Group or user names box. In the Allow column under Permissions for User, select Remote Launch and select Remote Activation, and then click OK.

The following procedure describes how to grant DCOM remote access permissions for certain users and groups. If Computer A is connecting remotely to Computer B, you can set these permissions on Computer B to allow a user or group that is not part of the Administrators group on Computer B to connect to Computer B.

To grant DCOM remote access permissions

    Click Start, click Run, type DCOMCNFG, and then click OK.
    In the Component Services dialog box, expand Component Services, expand Computers, and then right-click My Computer and click Properties.
    In the My Computer Properties dialog box, click the COM Security tab.
    Under Access Permissions, click Edit Limits.
    In the Access Permission dialog box, select ANONYMOUS LOGON name in the Group or user names box. In the Allow column under Permissions for User, select Remote Access, and then click OK.

Good Luck,
- gurutc
0
 

Author Comment

by:nokyplease
ID: 39944431
I have other groups like everyone, performance log users and distributed com users as well as anonymous logon. Can I remove all the remote access of these groups? Will that screw up things in a domain network?
0
 
LVL 16

Assisted Solution

by:gurutc
gurutc earned 500 total points
ID: 39944943
I'd take everyone and anonymous out of the remote wmi for sure.  As log as performance log users  and distributed com users have no members you can leave them or remove them.  I think you can remove them without issue though.  

Try it on one PC first to test that it works for your purpose and that it doesn't break anything.

- gurutc
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When you try to extract and to view the contents of a Microsoft Update Standalone Package (MSU) for Windows Vista, you cannot extract the files from the MSU. Here we are going to explain how to extract those hotfix details without using any third pa…
No single Antivirus application (despite claims by manufacturers) will catch or protect you from all Virus / Malware or Spyware threats. That doesn't stop you from further protecting yourself however - and this article is to show you how.
The viewer will learn how to successfully download and install the SARDU utility on Windows 7, without downloading adware.
Video by: Mark
This lesson goes over how to construct ordered and unordered lists and how to create hyperlinks.

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question