Skip to content

Minimum WMI permissions for Domain User Account

In order to collect events from a windows machine, consider a user account that is already a member of the “Domain Users” group.

Next you will have to allow remote WMI access to use it as a service account with restricted permissions.

First, add the user account to the Domain Groups named "Performance Log Users" and “Event Log Readers”.

Next, set up the access permissions for the user account in the WMI Control configuration:

1.Open the WMI Control console:

Click Start, search for “Run” and type wmimgmt.msc, then click OK.

2.In the console tree, right-click WMI Control and then click Properties.

3.Click the Security tab.

4.Navigate and select the “\Root\CIMV2” namespace to choose which user or group will have access, and then click on Security button.

In the Security dialog box, click Add.

In the Select Users, Computers, or Groups dialog box, enter the name of the object (user or group) that you want to add, click OK and then choose Advanced.

In the Advanced Security dialog box under Permissions, edit the permissions and check the following check boxes:

  • “Execute Methods”

  • “Enable Account”

  • “Remote Enable”

  • “Read Security”

Select Apply to “This namespace and subnamespaces”:

Click OK 4 times to close all the windows.

Windows Firewall Rules for Inbound and Outbound

Enable the following rules on Inbound:

  • Windows Management Instrumentation (DCOM-In)

  • Windows Management Instrumentation (WMI-In)

Enable the following rules on Outbound:

  • Windows Management Instrumentation (WMI-Out)