1. General Information
This document describes the permission standard for an Inventory Service User account (Domain/local) or a specified Group (domain/local) to have scanning permission for the Zero Touch Windows scanning technology.
2. User Specifications
Option 1: Use a local Administrator account
This is the highest permission level.
The user account needs to be member of the local Administrators group. Local administrators usually have full permissions to WMI. Such user needs to be permitted and rolled out to every target device in scope.
Option 2: Create an Inventory Service user account with dedicated permissions
This is the least privilege approach.
For granting dedicated permissions to specified Service Users or Groups the following needs to be configured on every target device in scope:
Group Membership
The User or Group needs to be member of the following groups:
Performance Monitor Users |
S-1-5-32-558 |
Distributed COM Users |
S-1-5-32-562 |
Remote Management Users (Not needed on Windows 7 and its counterparts) |
S-1-5-32-580 |
Hint: Windows Domain Controllers uses Domain Groups, only. Therefor the designated Inventory Service User needs to be member of the corresponding Domain Groups.
Required permissions on the target device
The following permissions on the WMI-Namespaces for the specified user or group should be granted:
Common WMI permissions
Namespace |
Permissions |
Inheritance |
\root |
Enable Account |
No |
\root\cimv2 |
Enable Account |
Yes |
WMI permissions for MS SQL Servers
Namespace | Permissions | Inheritance |
\root\Microsoft\SqlServer |
Enable Account |
Yes |
WMI permissions for MS SQL Server version <= 2000
Namespace |
Permissions |
Inheritance |
\root\Microsoft\SqlServer\MSSQL_Server |
Enable Account |
yes |
\root\Microsoft\SqlServer\MSSQL_RegistrySetting |
Enable Account |
yes |
WMI permissions for MS SQL Server version >= 2005
\root\Microsoft\SqlServer\ComputerManagementVV (VV is the major version number of SQL Server) |
Enable Account |
yes |
WMI permissions for Hyper-V
Namespace | Permissions | Inheritance |
\root\virtualization | Enable Account Execute Methods Remote Enable Read Security |
yes |
\root\virtualization\v1 | Enable Account Execute Methods Remote Enable Read Security |
yes |
\root\virtualization\v2 | Enable Account Execute Methods Remote Enable Read Security |
yes |
\root\MSCluster | Enable Account Execute Methods Remote Enable Read Security |
yes |
Locale group for Hyper-V
For a full Hyper-V inventory to work, it is necessary that the inventory user is in the group on all Hyper-V hosts:
- Hyper-V Administrators
Permissions for Windows Services
To get a full inventory including WIndows Services, the user needs to have the following permissions:
- QueryStatus
- QueryConfig
- Interrogate
- EnumerateDependents
- Start
- ReadPermissions
For full SQL Details, it's as well needed to have the described rights for Windows Services
Local Firewall rule
WMI connection needs to be allowed on the device that is about to be scanned.
Example command for Windows Firewall:
- "netsh.exe advfirewall firewall set rule group="windows management instrumentation (wmi)" new enable=yes"
WMI Service Restart
The WMI Service (Windows Management Instrumentation) needs to be restarted in order to apply changes of WMI permissions.
For more information see RVY200410: Script Template to Grant Permissions for a Zero Touch Inventory of Windows Devices.
Please, look into this if you still get 'Access is denied.' https://docs.microsoft.com/de-de/windows/win32/wmisdk/troubleshooting-a-remote-wmi-connection?redirectedfrom=MSDN