topic Re: How to enable WMI data collection on a Domain Server in Getting Data In

How to enable WMI data collection on a Domain Server

pmelchiori — Wed, 19 May 2010 14:15:40 GMT

Hi, I've a problem with the WMI privilege on a Domain Controller running Win 2003 R2. This is what I done:

Add user to the groups Performance Log Users and Distributed COM Users Domain groups.
Add Splunk's user to the Distributed COM Users local group
Enabled all permissions on the WMI tree at root for the Splunk user.
no firewall between the pc and the server.

I can't add my special user to the administrator's group, but if I do everyting works correctly.

There are other Group Policy to enable? other setting to change? thanks

Re: How to enable WMI data collection on a Domain Server

gkanapathy — Wed, 19 May 2010 16:24:17 GMT

I don't understand what you mean by "you can't add" but "it works correctly" if you do. You mean you are not allowed to, and you are trying to see if there is another way to do it besides adding the user to to group?

Re: How to enable WMI data collection on a Domain Server

Ledio_Ago — Thu, 20 May 2010 08:49:24 GMT

Looking at MSDN: http://msdn.microsoft.com/en-us/library/aa389290%28v=VS.85%29.aspx

"...Windows Server 2003, Windows XP, and Windows 2000: The account on Computer B must be in the Administrator group, but a domain account is not required...."

From this document it sounds like the user running Splunk has to be in the Administrative group to be able to connect to WMI remotely. The same user context that Splunk is running as will be used to log in to remote box and connect to WMI

Re: How to enable WMI data collection on a Domain Server

gkanapathy — Thu, 20 May 2010 13:22:08 GMT

Well, but note that if the computer is a DC, then the Administrator group is the Domain Administrator group.

Re: How to enable WMI data collection on a Domain Server

pmelchiori — Thu, 20 May 2010 14:04:47 GMT

Exactly, I try to put in the Administrators group, and it works fine, but the system administrator doesn't give me the permission to use forever this way.

Re: How to enable WMI data collection on a Domain Server

pmelchiori — Thu, 20 May 2010 17:45:01 GMT

This is the main point!

Re: How to enable WMI data collection on a Domain Server

gkanapathy — Sat, 22 May 2010 14:36:50 GMT

Sorry, this sounds like that's what Windows requires. It does not entirely surprise me. It is possible that you can fiddle around with settings in the DCOMCNFG.EXE application to make it work with a non-Administrator group, but this is something probably more readily answered at a Windows-specialist site.

Re: How to enable WMI data collection on a Domain Server

pmelchiori — Mon, 24 May 2010 14:29:28 GMT

I've already give to my user the DCOM permission! The only think is that quen I test the WMI the answer to the query is empty! not an error...

Re: How to enable WMI data collection on a Domain Server

igor — Sat, 12 Jun 2010 05:12:55 GMT

You have to run Splunk with an account that has local Administrator privileges. See http://www.splunk.com/base/Documentation/latest/Installation/InstallonWindowsviathecommandline#Choosing_the_user_Splunk_should_run_as.

Re: How to enable WMI data collection on a Domain Server

pmelchiori — Mon, 14 Jun 2010 15:15:27 GMT

DC server doesn't have the Local Admins!

Re: How to enable WMI data collection on a Domain Server

igor — Tue, 15 Jun 2010 01:23:35 GMT

In my experience, if you have an AD user that is a member of the DC's "Domain Admin" group, processes that run as the AD user will run with local Administrators group privilege as well. I suggest adding the "Domain Admin" group to that user and trying again.

Re: How to enable WMI data collection on a Domain Server

klkumar10 — Tue, 13 Jul 2010 16:15:35 GMT

Add the user the following:

Add User to the groups Performance Log Users

Add User to the Group of Distributed COM Users

Open Local Security Policy (Start -> All Programs -> Administrative Tools -> Local Security Policy)

Select -> Secutiy Settings -> Local Policies -> User Rights Assignment -> Manage Auditing and Security Log

Add the user to that policy Manage Auditing and Security Log, that will solve your problem.

Re: How to enable WMI data collection on a Domain Server

pmelchiori — Wed, 14 Jul 2010 20:37:42 GMT

Thanks, I'll try it soon!

Re: How to enable WMI data collection on a Domain Server

pmelchiori — Thu, 15 Jul 2010 20:34:02 GMT

Done, nothing changes... any other ideas?

Re: How to enable WMI data collection on a Domain Server

simuvid — Tue, 27 Jul 2010 19:54:10 GMT

I had a similar question.

Re: How to enable WMI data collection on a Domain Server

ftk — Tue, 27 Jul 2010 21:17:26 GMT

Saw that many answers revolve around adding the account to the Local Administrators group on the DC. This is indeed possible on a 2003 DC. Simply add the user to the BUILTIN\Administrators group on the DC.

One thing to note is that the Domain Admins group is a member of BUILTIN\Administrators group, so if you already added the account to Domain Admins the account should have (out of the box) loca admin privs on the DC.

Re: How to enable WMI data collection on a Domain Server

ftk — Tue, 27 Jul 2010 21:36:39 GMT

Just got done reading through the convoluted stream of answers and comments again.

To sum it up, your problem is:

If you add the account to the Domain Admin group, you can poll WMI fine, but your sysadmin does not allow this configuration.
You followed the manual in setting this up for a non admin account

Now when you say it doesn't work, do you mean querying via splunk cmd splunk-wmi -wql "select * from win32_service" -namespace \\<server>\root\cimv2 or via a different method? If you run the splunk cmd, do you receive an error? If so, can you please post that error?

If you are not getting anything, or rather, if you are getting something similar to this:

Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

Then you probably left the initial splunk off of the splunk cmd command and just invoked another shell with cmd.

Please also post details on the account you are running the polling splunk instance as. Domain account, local account, local SYSTEM account?

Re: How to enable WMI data collection on a Domain Server

pmelchiori — Tue, 10 Aug 2010 17:33:39 GMT

I can't add my user to the administrators group, company policy.

Re: How to enable WMI data collection on a Domain Server

pmelchiori — Mon, 28 Sep 2020 09:15:44 GMT

Thanks ftk, this is the result:

ERROR WMI - Error occurred while trying to retrive results from a WMI query (error="Call failed." HRESULT=80041001) (.: select * from win32_service)
ERROR WMI - Giving up attempt to connect to WMI provider after maximum number of retries at maximum backoff time (.: select * from win32_service)

Clean shutdown completed

Instead, with the administrator's account, everything works fine.

Re: How to enable WMI data collection on a Domain Server

malmoore — Wed, 12 Jan 2011 06:28:27 GMT

So I've been working specifically on unraveling the mystery around this, and after a bit of trial and error, this is the solution I have come up with to get it working.

First I made a domain group that will have the access I have assigned. Always better to do this because you never want to assign users to local member server (or domain controller) groups, or hang users directly on ACLs, it's a PITA security-wise and will assuredly bite you in the rear-end later. I'll call this group Splunkers.
Then, I put the Splunk user into this group.
Then, I started assigning permissions.

First place to start: Putting the newly created Splunkers group in the appropriate domain groups (as shown above):

Performance Log Users
Distributed COM Users

Next: Assign Splunkers some rights. Since this is a domain controller, you need to run the Default Domain Controller Security Settings snap-in (dcpol.msc).

Once inside, expand Security Settings, then Local Policies, and finally User Rights Assignment.
Assign your new group at least the following rights:
- Act as part of the operating system
- Log on as a batch job
- Log on as a service
- Replace a process level token

Okay, now you need to set DCOM security. Start up Component Services from Start, -> Administrative Tools.

Once there, expand Console Root, then Computers, and finally My Computer. Right-click on My Computer and select "Properties..."
In the window that appears, click on the COM Security tab.
Then, under "Access Permissions," click Edit Limits.
Review that the Distributed COM Users group has all items checked under Allow.
At this point, you can add your new domain group Splunkers to this list and ensure that they have full Allow access as well, but it is not required, since Splunkers is a member of Distributed COM Users.
Once you've reviewed or added the group, click OK to save your changes and be returned back to the COM Security tab.
Now, under "Launch and Activation Permissions", click Edit Limits.
Like with the "Access Permissions" window, you are presented with a number of groups and permissions. You need to make sure that the Distributed COM Users group has all items checked under Allow.
If you want, you can also add the Splunkers group here, and assign full Allow access. It is not required, since Splunkers is already a member of Distributed COM Users.
Click OK to save your changes.

All right, next, you need to set WMI namespace security. From the Start menu, select Run..., and in the window that opens, type in wmimgmt.msc in the "Open:" field and click OK.

Once there, right-click on WMI Control (Local) and click Properties.
Click on the Security tab.
Click on the Security button at the bottom right of the window. This action edits the security settings for the Root WMI namespace.
You'll now see a window that has the security settings for WMI on this machine. Click Advanced... Yes, you need to do this.
You'll now see the Advanced security settings for this WMI namespace. You'll need to add the Splunkers group to the list, and give at least the following "Allow" permissions:
- Execute Methods
- Enable Account
- Remote Enable
- Read Security
Then, you need to make sure that these permissions apply to this namespace and all the namespaces under it. Do that by selecting This namespace and subnamespaces in the dropdown box above the permissions list.
Click OK to save the new permissions.
Then, click OK again to exit out of the Advanced Security Settings.
Click OK a third time to exit the security properties.

Now that you've set WMI namespace security, make sure that you've disabled Windows Firewall/ICS services on both the Splunk server and the server you wish to get data from over WMI.

Once you've done all that, you will need to bounce Splunk. After Splunk has been restarted, you should then be able to create WMI data inputs off of your domain controller.

A few notes about this:

I've tested this on a Windows 2003 R2 DC with Windows 2003 member servers running the Splunk service. With Windows 2008, things are a little different (think UAC). I'm working on what else needs to be done to get this running in Windows 2008.
There's no non-esoteric way at this time to globally configure WMI security settings domain-wide. Each machine has its own setting. There is an MSDN blog, however, that lists the steps you can take to create a script that contains the appropriate security descriptors, which you can then subsequently throw into a GPO as a startup script and have your computers get the updated security settings at boot time.
If you're collecting event logs over WMI - and, in particular, the Security event log - you'll need to enable access to that log on the machine you're collecting the logs from. This is not trivial (think, SDDL knowledge and INF file edits if you're thinking about putting it in a GPO).