cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
kbc-clearing
Engaged Sweeper
Hello,

I have managed to scan my domain machines with a domain user account instead of a domain admin account. I have granted this user the correct rights so I can remotely access these machines by wmi. This works, I get the wmi information that is needed. However, in the error log in the web interface from the host I get errors on the enumeration of the devices (usbcontroller, cdrom etc).

Does anyone have experience how to set the security for user account to enumerate hardware devices?

Regards,

Paul
9 REPLIES 9
Hemoco
Lansweeper Alumni
Do you have a group policy somewhere with "restricted groups"?
kbc-clearing
Engaged Sweeper
I am lost.
When i put the user directly in the Administrators group I can connect through wmi.
When I put the user in a global group, and I put that global group in the local administrators group, I cannot connect.
Process monitor doesn't show any access denied, I can see the process wmiprvse.exe reading the registry as the NT AUTHORITY\SYSTEM account with no errors.

However, I still cannot connect to wmi.

A member of the Domain Admins group, who are also member of tjhe local Administrators group can connect through wmi.
kbc-clearing
Engaged Sweeper
I don't think I can solve this.
So what I have done is created a global group and placed the lansweeper account in this group. This group I have added to the local Administrators group of every servers.
I Still get errors on the servers. If I add the user directly in the local administrators group I don't get these errors, what's up with that?
We have the policy that we dont put users in local groups, we only put global groups in local groups.
kbc-clearing wrote:
So what I have done is created a global group and placed the lansweeper account in this group. This group I have added to the local Administrators group of every servers.

That should work, that how many people do it.

Maybe the user is also in a group that's denied access somewhere?

You can use sysinternals process monitor to see what's going on when you perform a scan.
Hemoco
Lansweeper Alumni
This page might help (Q8)
http://technet.microsoft.com/en-us/library/ee692772.aspx
kbc-clearing
Engaged Sweeper
So you don't know how I can give a restrictive set of rights to a ordinary user?
I am already able to connect through wmi, the only thing that doesn't work is the enumeration of devices. The enumeration of services is also working. I find a bit "much" to be local administrator for a few wmi requests.
Hemoco
Lansweeper Alumni
The user doesn't need domain admin privileges but he does need administrative permissions on the client to scan.
kbc-clearing
Engaged Sweeper
Hello,

I get this error on the followiing devices:

Usbcontroller Generic failure 03/04/2010 13:07:30
Tape Generic failure 03/04/2010 13:07:30
Scsi Provider failure 03/04/2010 13:07:30
Pcmcia Generic failure 03/04/2010 13:07:29
Infrared Generic failure 03/04/2010 13:07:28
Idecontroller Generic failure 03/04/2010 13:07:28
Diskpartition Generic failure 03/04/2010 13:07:28
Cdrom Generic failure 03/04/2010 13:07:23
Bus Generic failure 03/04/2010 13:07:23
Floppy Generic failure 03/04/2010 13:07:22

I will run the scan on a machine where I have administrative rights.
Hemoco
Lansweeper Alumni
Do you get this for all devices?
you can get CDrom errors if there is no cdrom in the computer.