It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda Web Security Gateway

How can I create a user with WMI query permission?

  • Type: Knowledgebase
  • Date changed: 2 years ago
Solution #00006448


A normal account can be used for remote WMI access. This account can be restricted with no-login access but needs certain read-only rights to access the WMI repository remotely. The following attributes needs to be configured:

  1. The user needs to have DCOM access. This is used to execute the WMI queries.
  2. The user needs access to the WMI tree (or at least the "root/CIMV2" portion of the tree).
  3. For performance monitoring, the user needs to be in the group ?Performance Monitor Users?

The easiest configuration method is to create a user and add the user to the groups "Distributed COM Users" and "Performance Monitor Users." By default, the group "Distributed COM Users"  has remote access rights to the DCOM. The group "Performance Monitor Users" has rights to read the performance counts by default as well.

Step by Step configuration for Windows 7 and Windows Server 2008:

1. Create a normal user via the Active Directory Users and Computers tool.
2. Add the created user to following groups Performance Monitor Users and Distributed COM Users under Builtin.
3. Open a command prompt window and execute the wmimgmt.msc command.
4. Select the Properties of WMI Control (local).
5. Select the Security tab.
6. Select Root and press the Security button.
7. Add the group Performance Monitor Users.
8. Enable all Remote Enable, Execute Methods, Enable Account and all read rights.
9. Close the add dialog and select the group Performance Monitor Users in the list.
10. Select Advanced in the Security for Root dialog and then select the group and press Edit.
11. Select This namespace and subnamespaces to grant read-only access to the whole WMI tree to this account .


Configure the Windows Firewall (needed if the firewall blocks the remote WMI access)

1. Start the Windows Firewall using the Control Panel.
2. It is not necessary to use the Windows Firewall with Advanced Security control.
3. Select Allow a program or feature through Windows Firewall.
4. Open Component Services, Computers, My Computer and then Properties of My Computer.
5. Enable Windows Management Instrumentation (WMI) for Domain and/or Home/Work Networks.


Configure the DCOM access (optional if predefined group Distributed COM Users is not used)

1. Start dcomcnfg.exe
2. Open Component Services, Computers, My Computer and then Properties of My Computer.
3. Select COM Security
4. Click on Edit Limits on Launch and Activation Permissions.
5. Check the rights of the group Distributed COM Users (should have full rights) .

Link to this page: