Hi, I've a problem with the WMI privilege on a Domain Controller running Win 2003 R2. This is what I done:
no firewall between the pc and the server.
I can't add my special user to the administrator's group, but if I do everyting works correctly.
There are other Group Policy to enable? other setting to change? thanks
So I've been working specifically on unraveling the mystery around this, and after a bit of trial and error, this is the solution I have come up with to get it working.
First I made a domain group that will have the access I have assigned. Always better to do this because you never want to assign users to local member server (or domain controller) groups, or hang users directly on ACLs, it's a PITA security-wise and will assuredly bite you in the rear-end later. I'll call this group Splunkers.
Then, I put the Splunk user into this group.
Then, I started assigning permissions.
First place to start: Putting the newly created Splunkers group in the appropriate domain groups (as shown above):
Next: Assign Splunkers some rights. Since this is a domain controller, you need to run the Default Domain Controller Security Settings snap-in (dcpol.msc).
Okay, now you need to set DCOM security. Start up Component Services from Start, -> Administrative Tools.
All right, next, you need to set WMI namespace security. From the Start menu, select Run..., and in the window that opens, type in wmimgmt.msc in the "Open:" field and click OK.
Now that you've set WMI namespace security, make sure that you've disabled Windows Firewall/ICS services on both the Splunk server and the server you wish to get data from over WMI.
Once you've done all that, you will need to bounce Splunk. After Splunk has been restarted, you should then be able to create WMI data inputs off of your domain controller.
A few notes about this:
I've tested this on a Windows 2003 R2 DC with Windows 2003 member servers running the Splunk service. With Windows 2008, things are a little different (think UAC). I'm working on what else needs to be done to get this running in Windows 2008.
There's no non-esoteric way at this time to globally configure WMI security settings domain-wide. Each machine has its own setting. There is an MSDN blog, however, that lists the steps you can take to create a script that contains the appropriate security descriptors, which you can then subsequently throw into a GPO as a startup script and have your computers get the updated security settings at boot time.
If you're collecting event logs over WMI - and, in particular, the Security event log - you'll need to enable access to that log on the machine you're collecting the logs from. This is not trivial (think, SDDL knowledge and INF file edits if you're thinking about putting it in a GPO).
Just got done reading through the convoluted stream of answers and comments again.
To sum it up, your problem is:
Now when you say it doesn't work, do you mean querying via
splunk cmd splunk-wmi -wql "select * from win32_service" -namespace \\<server>\root\cimv2 or via a different method? If you run the splunk cmd, do you receive an error? If so, can you please post that error?
If you are not getting anything, or rather, if you are getting something similar to this:
Microsoft Windows [Version 5.2.3790] (C) Copyright 1985-2003 Microsoft Corp.
Then you probably left the initial
splunk off of the
splunk cmd command and just invoked another shell with
Please also post details on the account you are running the polling splunk instance as. Domain account, local account, local SYSTEM account?
I have the same problem getting wmi data from a Windows 7 machine. With a Windows XP machin everything works fine.
It maybe is a uac problem but I could not find any documentation that describes how to configure it so that it works for remote wmi access.
Has anyone a solution found?
Thanks in advance.
Thanks ftk, this is the result:
ERROR WMI - Error occurred while trying to retrive results from a WMI query (error="Call failed." HRESULT=80041001) (.: select * from win32service)
ERROR WMI - Giving up attempt to connect to WMI provider after maximum number of retries at maximum backoff time (.: select * from win32service)
Clean shutdown completed
Instead, with the administrator's account, everything works fine.
Saw that many answers revolve around adding the account to the Local Administrators group on the DC. This is indeed possible on a 2003 DC. Simply add the user to the BUILTIN\Administrators group on the DC.
One thing to note is that the Domain Admins group is a member of BUILTIN\Administrators group, so if you already added the account to Domain Admins the account should have (out of the box) loca admin privs on the DC.
Add the user the following:
Add User to the groups Performance Log Users
Add User to the Group of Distributed COM Users
Open Local Security Policy (Start -> All Programs -> Administrative Tools -> Local Security Policy)
Select -> Secutiy Settings -> Local Policies -> User Rights Assignment -> Manage Auditing and Security Log
Add the user to that policy Manage Auditing and Security Log, that will solve your problem.
In my experience, if you have an AD user that is a member of the DC's "Domain Admin" group, processes that run as the AD user will run with local Administrators group privilege as well. I suggest adding the "Domain Admin" group to that user and trying again.
Looking at MSDN: http://msdn.microsoft.com/en-us/library/aa389290%28v=VS.85%29.aspx
"...Windows Server 2003, Windows XP, and Windows 2000: The account on Computer B must be in the Administrator group, but a domain account is not required...."
From this document it sounds like the user running Splunk has to be in the Administrative group to be able to connect to WMI remotely. The same user context that Splunk is running as will be used to log in to remote box and connect to WMI
Sorry, this sounds like that's what Windows requires. It does not entirely surprise me. It is possible that you can fiddle around with settings in the DCOMCNFG.EXE application to make it work with a non-Administrator group, but this is something probably more readily answered at a Windows-specialist site.
I don't understand what you mean by "you can't add" but "it works correctly" if you do. You mean you are not allowed to, and you are trying to see if there is another way to do it besides adding the user to to group?