Creating a Service Account that will access WMI / LDAP information

  • Thread starter Thread starter Eric Chatham
  • Start date Start date
E

Eric Chatham

Guest
Hello,



I currently am using my Domain Admin account to run a scheduled task. The
scheduled task is a VB Script that accesses WMI information and LDAP
information from a few Domain Controllers and Servers. How would I set up a
service account with the appropriate permissions to access this information
on each DC and memeber server? I'd like to stop using my Domain Admin
account for the scheduled task. If you would like me to post the VB Code to
see it more closely, let me know. Thanks.

This topic was started here orginally:
http://forums.microsoft.com/TechNet/ShowPost.aspx?PostID=3713409&SiteID=17&m
 
RE: Creating a Service Account that will access WMI / LDAP information

This is still not working for me when I try to create a scheduled task on a
domain controller. The user account I'm using for the service account is not
a member of any groups other than {Domain Users}.

I did, however, find a way to allow WMI access on a remote server without
adding the user account to an Administrative group (which is the goal for the
service account) in question. The only problem I'm having now is using this
service account to run a scheduled task on a domain controller.

Here is what I did to allow WMI access on a remote Server:

To set up the user ‘secmanager’ to access WMI without adding the user to an
Administrative group, follow the steps below.

1. Click Start, click Run, type wmimgmt.msc in the Open box, and then click
OK.
2. Right-click WMI Control, and then click Properties.
3. Click the Security tab.



4. Expand the Root folder, select the CIMV2 folder, and then click Security.
5. Click Add. Type the user name you wish to use in the Enter the object
names to select box, click Check Names to verify your entry or entries, and
then click OK.
6. In the Permissions for User list, click the Allow check box next to the
following permissions:
Execute Methods
Enable Account
Remote Enable
Read Security
7. Click Advanced. In the Permission entries list, select the user you
added in step 5, and then click Edit.
8. In the Apply onto box, click This namespace and subnamespaces.
9. Click OK three times.
10. Quit the WMI Control snap-in.




---
11. Click Start, click Run, type dcomcnfg.exe in the Open box, and then
click OK.
12. Select Component Services and then expand it. Then expand Computers.
Right-click My Computer and select Properties.
13. Select the COM Security tab.



14. In the Access Permissions section, click Edit Limits....
15. Click Add. Type the user name you wish to use in the Enter the object
names to select box, click Check Names to verify your entry or entries, and
then click OK.
16. In the Permissions for User list, click the Allow check box next to the
following permissions:
Local Access
Remote Access
Click OK.



17. In the Launch and Activation Permissions section, click Edit Limits....
18. Click Add. Type the user name you wish to use in the Enter the object
names to select box, click Check Names to verify your entry or entries, and
then click OK.
19. In the Permissions for User list, click the Allow check box next to the
following permissions:
Local Launch
Remote Launch
Local Activation
Remote Activation
Click OK twice.



20. Expand My Computer and expand DCOM Config.
21. Right-click Windows Management and Instrumentation and click Properties.



22. Click the Security tab.
23. In the Access Permissions section, click Edit....
24. Click Add. Type the user name you wish to use in the Enter the object
names to select box, click Check Names to verify your entry or entries, and
then click OK.
25. In the Permissions for User list, click the Allow check box next to the
following permissions:
Local Access
Remote Access
Click OK twice.



26. Quit the Component Services snap-in.
27. Restart the target computer.
 
RE: Creating a Service Account that will access WMI / LDAP information

Here are some other things I tried, that failed:

Adding the service account to the "Log on as a service" on Domain Controller
Policy. I also tried the "Act as part of the operating system" in the Domain
Controller Policy. Do I need to be rebooting these domain controllers after
I add them into the policy? I haven't, if so.
 
RE: Creating a Service Account that will access WMI / LDAP informa

RE: Creating a Service Account that will access WMI / LDAP informa

I found out what was wrong. The script I had running in the scheduled task
didn't have "write" permissions to the log directory. Isn't there a log file
for Task Scheduler. I can't seem to find it.

"Eric Chatham" wrote:

> Here are some other things I tried, that failed:
>
> Adding the service account to the "Log on as a service" on Domain Controller
> Policy. I also tried the "Act as part of the operating system" in the Domain
> Controller Policy. Do I need to be rebooting these domain controllers after
> I add them into the policy? I haven't, if so.
>
>
 
Back
Top