RVY200347: Required Permissions for a Zero Touch Inventory of Windows Devices

1. General Information

This document describes the permission standard for an Inventory Service User account (Domain/local) or a specified Group (domain/local) to have scanning permission for the Zero Touch Windows scanning technology.

2. User Specifications

Option 1: Use a local Administrator account

This is the highest permission level.

The user account needs to be member of the local Administrators group. Local administrators usually have full permissions to WMI. Such user needs to be permitted and rolled out to every target device in scope.

Option 2: Create an Inventory Service user account with dedicated permissions

This is the least privilege approach.

For granting dedicated permissions to specified Service Users or Groups the following needs to be configured on every target device in scope:

Group Membership

The User or Group needs to be member of the following groups:

Performance Monitor Users

S-1-5-32-558

Distributed COM Users

S-1-5-32-562

Remote Management Users

(Not needed on Windows 7 and its counterparts)

S-1-5-32-580

Hint: Windows Domain Controllers uses Domain Groups, only. Therefor the designated Inventory Service User needs to be member of the corresponding Domain Groups.

Required permissions on the target device

The following permissions on the WMI-Namespaces for the specified user or group should be granted: 

Common WMI permissions

Namespace

Permissions

Inheritance

\root

Enable Account
Remote Enable

No

\root\cimv2

Enable Account
Execute Methods
Remote Enable
Read Security

Yes

WMI permissions for MS SQL Servers

Namespace Permissions Inheritance

\root\Microsoft\SqlServer

Enable Account
Execute Methods
Remote Enable
Read Security

Yes

WMI permissions for MS SQL Server version <= 2000

Namespace

Permissions

Inheritance

\root\Microsoft\SqlServer\MSSQL_Server

Enable Account
Execute Methods
Remote Enable
Read Security

yes

\root\Microsoft\SqlServer\MSSQL_RegistrySetting

Enable Account
Execute Methods
Remote Enable
Read Security

yes

WMI permissions for MS SQL Server version >= 2005

\root\Microsoft\SqlServer\ComputerManagementVV

(VV is the major version number of SQL Server)

Enable Account
Execute Methods
Remote Enable
Read Security

yes

WMI permissions for Hyper-V

Namespace Permissions Inheritance
\root\virtualization Enable Account
Execute Methods
Remote Enable
Read Security
yes
\root\virtualization\v1 Enable Account
Execute Methods
Remote Enable
Read Security
yes
\root\virtualization\v2 Enable Account
Execute Methods
Remote Enable
Read Security
yes
\root\MSCluster Enable Account
Execute Methods
Remote Enable
Read Security
yes

 

Locale group for Hyper-V

For a full Hyper-V inventory to work, it is necessary that the inventory user is in the group on all Hyper-V hosts:

  • Hyper-V Administrators

Permissions for Windows Services

To get a full inventory including WIndows Services, the user needs to have the following permissions:

  • QueryStatus
  • QueryConfig
  • Interrogate
  • EnumerateDependents
  • Start
  • ReadPermissions

For full SQL Details, it's as well needed to have the described rights for Windows Services

Local Firewall rule

WMI connection needs to be allowed on the device that is about to be scanned. 

Example command for Windows Firewall: 

  • "netsh.exe advfirewall firewall set rule group="windows management instrumentation (wmi)" new enable=yes"

WMI Service Restart

The WMI Service (Windows Management Instrumentation) needs to be restarted in order to apply changes of WMI permissions.

 

For more information see RVY200410: Script Template to Grant Permissions for a Zero Touch Inventory of Windows Devices.

Comments

Powered by Zendesk