Windows Discovery with a non-Admin account

Zach Langsley N · 3 weeks ago

Hey Everyone!

We have been tasked with redeploying Discovery as a non-admin account (so so painful). We have found reasonable success following Discovery with a normal user (non-admin user) from Community.

However, we're trying to roll our changes into a GPO and are currently having challenges scripting the WMI Control modifications via PowerShell, and without that part, Discovery doesn't accomplish much. Has anyone found the magic words to automate those permission changes?

Thanks!

pavani_paluri · 3 weeks ago

Hi @Zach Langsley N ,

1. Give the account WMI rights
Think of WMI as a locked filing cabinet.
You need to hand your service account a key.
The “key” is called Remote Enable permission on the `root\cimv2` namespace.

2. Give the account DCOM rights
DCOM is like the front door to that filing cabinet.
You need to let the account open the door remotely (Remote Launch/Activation).

3. Automate it
Instead of clicking around in WMI Control, you use a PowerShell script (like Microsoft’s `Set-WmiNamespaceSecurity.ps1`).
That script says: “Add this account to WMI with Remote Enable.”
You drop that script into a GPO startup script, so every computer runs it automatically.

Mark it helpful if this helps you to understand. Accept solution if this give you the answer you're looking for

Kind Regards,

Pavani P

Zach Langsley N · 2 weeks ago

Thanks Pavani.

The issue we are having is in step 3. The PowerShell scripts that we have tried cannot add the account to WMI, they only seem to be able to manipulate accounts that already exist within WMI.

PowerShell/Windows/Set-WMINameSpaceSecurity.ps1 at main · grbray/PowerShell · GitHub

On line 133 it checks to see if the account is in WMI to edit the permissions. The error on 138 is what I get because the account is not in WMI yet.

on line 142 if the account was in WMI then this would add the needed permissions to existing account.

Do you have any other recommendations?