Getting Data In
Highlighted

How to enable WMI data collection on a Domain Server

Path Finder

Hi, I've a problem with the WMI privilege on a Domain Controller running Win 2003 R2. This is what I done:

  • Add user to the groups Performance Log Users and Distributed COM Users Domain groups.
  • Add Splunk's user to the Distributed COM Users local group
  • Enabled all permissions on the WMI tree at root for the Splunk user.
  • no firewall between the pc and the server.

    I can't add my special user to the administrator's group, but if I do everyting works correctly.

There are other Group Policy to enable? other setting to change? thanks

Tags (3)
Highlighted

Re: How to enable WMI data collection on a Domain Server

Splunk Employee
Splunk Employee

I don't understand what you mean by "you can't add" but "it works correctly" if you do. You mean you are not allowed to, and you are trying to see if there is another way to do it besides adding the user to to group?

0 Karma
Highlighted

Re: How to enable WMI data collection on a Domain Server

Splunk Employee
Splunk Employee

Looking at MSDN: http://msdn.microsoft.com/en-us/library/aa389290%28v=VS.85%29.aspx

"...Windows Server 2003, Windows XP, and Windows 2000: The account on Computer B must be in the Administrator group, but a domain account is not required...."

From this document it sounds like the user running Splunk has to be in the Administrative group to be able to connect to WMI remotely. The same user context that Splunk is running as will be used to log in to remote box and connect to WMI

0 Karma
Highlighted

Re: How to enable WMI data collection on a Domain Server

Splunk Employee
Splunk Employee

Well, but note that if the computer is a DC, then the Administrator group is the Domain Administrator group.

0 Karma
Highlighted

Re: How to enable WMI data collection on a Domain Server

Path Finder

This is the main point!

0 Karma
Highlighted

Re: How to enable WMI data collection on a Domain Server

Splunk Employee
Splunk Employee

Sorry, this sounds like that's what Windows requires. It does not entirely surprise me. It is possible that you can fiddle around with settings in the DCOMCNFG.EXE application to make it work with a non-Administrator group, but this is something probably more readily answered at a Windows-specialist site.

0 Karma
Highlighted

Re: How to enable WMI data collection on a Domain Server

Path Finder

I've already give to my user the DCOM permission! The only think is that quen I test the WMI the answer to the query is empty! not an error...

0 Karma
Highlighted

Re: How to enable WMI data collection on a Domain Server

Path Finder

Exactly, I try to put in the Administrators group, and it works fine, but the system administrator doesn't give me the permission to use forever this way.

0 Karma
Highlighted

Re: How to enable WMI data collection on a Domain Server

Splunk Employee
Splunk Employee

You have to run Splunk with an account that has local Administrator privileges. See http://www.splunk.com/base/Documentation/latest/Installation/InstallonWindowsviathecommandline#Choos....

Highlighted

Re: How to enable WMI data collection on a Domain Server

Path Finder

DC server doesn't have the Local Admins!

0 Karma