RVY200410: Script Template to Grant Permissions for a Zero Touch Inventory of Windows Devices


The Powershell script template can create a local user or use an existing Domain-User and set all rights and permissions required for Zero-Touch inventory – following the least-privilege-approach supported by RayVentory.

Therefore, the script will perform the following tasks:

  • Starting WMI-Service (winmgmt) in case it is not running
  • (Optional:) Creates local user account
  • The designated domain or local user will be added to the following built-in groups: „Performance Monitor Users“, „Distributed COM Users“, „Remote Management Users“ (depending on Windows version)
  • The user will be added to the necessary namespaces of WMI with read-permissions, only
  • In addition, user will be enabled to read all existing Windows services properties
  • (Optional:) Restart the "Windows Management Instrumentation" service (winmgmt)
    In addition, all depending services will be checked and restarted as well
  •  (Optional:) Add local firewall rule for allowing remote WMI access


The following prerequisites are required before the script template can be executed:

  • If the target user is an existing AD-User, the following information should be known:
    • Account name and domain of the user
    •  (Optional:) The SID of the user (then AD-lookup will be skipped)
  • If the target user is a local user, the following information should be known:
    • The name of the user
    • The password of the user (if user doesn’t exist)
    • (Optional:) The SID of the user
  • Furthermore, the script must be executed with administrative privileges to overcome UAC limitations; just using an account who is member of the Administrator group is not enough!


We are aware of incomplete data of the zero touch inventory when using this script on Windows 2008 R2 and Windows 7. Due to WMI API, the granted permissions are not sufficient for the named operating systems. On these systems, attributes of “Win32_DiskDrive”, “Win32_CDROMDrive” and “Win32_NetworkAdapter” may be missed or limited.

Raynet recommends to check the inventory data from those devices. If some information is required but not available due to limitations, the workaround is to add the user to the local administrator group.


Before changing and executing the template script, we recommend that you verify and test the final version before deploying it to all Windows computers and servers.

Open the script using the Powershell editor or a text editor (e.g Notepad++) and navigate to the section [CmdletBinding()].

Be aware, that the log-file path have to exist otherwise errors might occur. The log file with the specific name (“RIW_CreateUser_<Username>.log”) will be created in “c:\temp”.

Check if you want to  immediately restart of the service "Windows Management Instrumentation"

  • If $RestartService = "True", the service "winmgmt" and every dependent service will be restarted.
  • Be aware: some  permission changes are effective after a restart of the service or after the next Windows restart.

For using an existing Domain-User:

  1. Replace  $UserName = "UserName"  with the name of the user
    and $Domain = "Domain" with the AD domain name (Netbios or DNS name
  2. Replace $SID = $null and add the SID of the domain user account as string
    (reduces runtime)
  3. Set "$CreateUser" to "False" (not recommended to create a domain user)

For a local user:

  1. Replace  „UserName“ with the name of the user
  2. Let domain empty ("") or "." to make sure the user is a local user
  3. If the user should be created, set "CreateUser" to "True" and enter the password under "UserPass"

Common Settings:

  • Verify or change $LogPath = "c:\Temp\" for the log-file
  • Set $SetServicePermissions = $false to $true for collecting Windows service attributes
  • Set $SetWmiFirewallRules = $false to $true in case local firewall might block remote WMI access
  • Set $RestartService = $false to $true to update WMI permissions immediately


Ensure that you have administrator privilege by starting “Powershell as Administrator” or “Cmd as Administrator” (and start “powershell” from within the cmd shell).

PS: “<PathToScript>\RIW_CreateUser_LocalExecution_v1.3.ps1"


For further information, check the log file and Powershell messages.

Change History:

  • 1.0 - Original script release
  • 1.1 - Domain value support for both DNS and NETBIOS names
  • 1.2 - Change NET LOCALGROUP sequence to respect Domain and failover for conflicts with localized group authorities - Start WMI Service including dependend services, if WMI Service is not running (mandatory)
  • 1.3 - Multilanguage group names parsing added

The former VB-Script template is not available any more. If needing VBS support, contact Raynet consulting or your Sales representative.


Link to further articles:




Powered by Zendesk