Remote WMI Access on Domain Controllers - account not admin

This topic contains 3 replies, has 2 voices, and was last updated by  Don Jones 4 months ago.

  • Author
    Posts
  • #73427

    Wei-Yen Tan
    Participant

    Hi,

    I am involved in a project where we are using Pester Tests to validate a system health of Domain Controllers.

    I am working on the WMI method (as WinRM has still got limited usage over here in NZ) to query the Domain Controller for system information.

    However there is a caveat. That is the account that will be running the test will preferably be not an admin account. We don't have local administrator accounts on the Domain Controllers so I was wondering if anyone has any creative ideas on how to run the tests successfully? Any help most appreciated.

    regards,

    Wei-Yen Tan

  • #73429

    Don Jones
    Keymaster

    You've only got two choices. WMI by default only allows remote queries from members of the local Administrators group. So the user either needs to be in that group, or you've got to re-permission WMI – which Microsoft doesn't really recommend. There's not really a 'creative' way around security.

  • #73436

    Wei-Yen Tan
    Participant

    Thank you Don for the reply.

    If we were to somehow be able to use WinRM would JEA be a suitable choice? This is just a question out of curiousity.

  • #73445

    Don Jones
    Keymaster

    Yeah. You could set up an endpoint to "run as" an authorized user, and then lock down who could connect to the endpoint. And you don't need JEA per se; you can set that up manually. The JEA Toolkit is really just an easier way of running the necessary commands. "Secrets of PowerShell Remoting" talks about manually creating this kind of endpoint.

You must be logged in to reply to this topic.