Creating a Service Account that will access WMI / LDAP information

[Guest Eric Chatham]

Hello,

 

 

 

I currently am using my Domain Admin account to run a scheduled task. The

scheduled task is a VB Script that accesses WMI information and LDAP

information from a few Domain Controllers and Servers. How would I set up a

service account with the appropriate permissions to access this information

on each DC and memeber server? I'd like to stop using my Domain Admin

account for the scheduled task. If you would like me to post the VB Code to

see it more closely, let me know. Thanks.

 

This topic was started here orginally:

http://forums.microsoft.com/TechNet/ShowPost.aspx?PostID=3713409&SiteID=17&m

[Guest Eric Chatham]

RE: Creating a Service Account that will access WMI / LDAP information

 

This is still not working for me when I try to create a scheduled task on a

domain controller. The user account I'm using for the service account is not

a member of any groups other than {Domain Users}.

 

I did, however, find a way to allow WMI access on a remote server without

adding the user account to an Administrative group (which is the goal for the

service account) in question. The only problem I'm having now is using this

service account to run a scheduled task on a domain controller.

 

Here is what I did to allow WMI access on a remote Server:

 

To set up the user ‘secmanager’ to access WMI without adding the user to an

Administrative group, follow the steps below.

 

1. Click Start, click Run, type wmimgmt.msc in the Open box, and then click

OK.

2. Right-click WMI Control, and then click Properties.

3. Click the Security tab.

 

 

 

4. Expand the Root folder, select the CIMV2 folder, and then click Security.

5. Click Add. Type the user name you wish to use in the Enter the object

names to select box, click Check Names to verify your entry or entries, and

then click OK.

6. In the Permissions for User list, click the Allow check box next to the

following permissions:

Execute Methods

Enable Account

Remote Enable

Read Security

7. Click Advanced. In the Permission entries list, select the user you

added in step 5, and then click Edit.

8. In the Apply onto box, click This namespace and subnamespaces.

9. Click OK three times.

10. Quit the WMI Control snap-in.

 

 

 

 

---

11. Click Start, click Run, type dcomcnfg.exe in the Open box, and then

click OK.

12. Select Component Services and then expand it. Then expand Computers.

Right-click My Computer and select Properties.

13. Select the COM Security tab.

 

 

 

14. In the Access Permissions section, click Edit Limits....

15. Click Add. Type the user name you wish to use in the Enter the object

names to select box, click Check Names to verify your entry or entries, and

then click OK.

16. In the Permissions for User list, click the Allow check box next to the

following permissions:

Local Access

Remote Access

Click OK.

 

 

 

17. In the Launch and Activation Permissions section, click Edit Limits....

18. Click Add. Type the user name you wish to use in the Enter the object

names to select box, click Check Names to verify your entry or entries, and

then click OK.

19. In the Permissions for User list, click the Allow check box next to the

following permissions:

Local Launch

Remote Launch

Local Activation

Remote Activation

Click OK twice.

 

 

 

20. Expand My Computer and expand DCOM Config.

21. Right-click Windows Management and Instrumentation and click Properties.

 

 

 

22. Click the Security tab.

23. In the Access Permissions section, click Edit....

24. Click Add. Type the user name you wish to use in the Enter the object

names to select box, click Check Names to verify your entry or entries, and

then click OK.

25. In the Permissions for User list, click the Allow check box next to the

following permissions:

Local Access

Remote Access

Click OK twice.

 

 

 

26. Quit the Component Services snap-in.

27. Restart the target computer.

[Guest Eric Chatham]

RE: Creating a Service Account that will access WMI / LDAP information

 

Here are some other things I tried, that failed:

 

Adding the service account to the "Log on as a service" on Domain Controller

Policy. I also tried the "Act as part of the operating system" in the Domain

Controller Policy. Do I need to be rebooting these domain controllers after

I add them into the policy? I haven't, if so.

[Guest Eric Chatham]

RE: Creating a Service Account that will access WMI / LDAP informa

 

RE: Creating a Service Account that will access WMI / LDAP informa

 

I found out what was wrong. The script I had running in the scheduled task

didn't have "write" permissions to the log directory. Isn't there a log file

for Task Scheduler. I can't seem to find it.

 

"Eric Chatham" wrote:

> Here are some other things I tried, that failed:

>

> Adding the service account to the "Log on as a service" on Domain Controller

> Policy. I also tried the "Act as part of the operating system" in the Domain

> Controller Policy. Do I need to be rebooting these domain controllers after

> I add them into the policy? I haven't, if so.

>

>