Creating a Service Account that will access WMI / LDAP information

Discussion in 'Windows Server' started by Eric Chatham, Aug 20, 2008.

  1. Eric Chatham

    Eric Chatham Guest

    Hello,



    I currently am using my Domain Admin account to run a scheduled task. The
    scheduled task is a VB Script that accesses WMI information and LDAP
    information from a few Domain Controllers and Servers. How would I set up a
    service account with the appropriate permissions to access this information
    on each DC and memeber server? I'd like to stop using my Domain Admin
    account for the scheduled task. If you would like me to post the VB Code to
    see it more closely, let me know. Thanks.

    This topic was started here orginally:
    http://forums.microsoft.com/TechNet/ShowPost.aspx?PostID=3713409&SiteID=17&m
     
    Eric Chatham, Aug 20, 2008
    #1
    1. Advertisements

  2. Eric Chatham

    Eric Chatham Guest

    This is still not working for me when I try to create a scheduled task on a
    domain controller. The user account I'm using for the service account is not
    a member of any groups other than {Domain Users}.

    I did, however, find a way to allow WMI access on a remote server without
    adding the user account to an Administrative group (which is the goal for the
    service account) in question. The only problem I'm having now is using this
    service account to run a scheduled task on a domain controller.

    Here is what I did to allow WMI access on a remote Server:

    To set up the user ‘secmanager’ to access WMI without adding the user to an
    Administrative group, follow the steps below.

    1. Click Start, click Run, type wmimgmt.msc in the Open box, and then click
    OK.
    2. Right-click WMI Control, and then click Properties.
    3. Click the Security tab.



    4. Expand the Root folder, select the CIMV2 folder, and then click Security.
    5. Click Add. Type the user name you wish to use in the Enter the object
    names to select box, click Check Names to verify your entry or entries, and
    then click OK.
    6. In the Permissions for User list, click the Allow check box next to the
    following permissions:
    Execute Methods
    Enable Account
    Remote Enable
    Read Security
    7. Click Advanced. In the Permission entries list, select the user you
    added in step 5, and then click Edit.
    8. In the Apply onto box, click This namespace and subnamespaces.
    9. Click OK three times.
    10. Quit the WMI Control snap-in.




    ---
    11. Click Start, click Run, type dcomcnfg.exe in the Open box, and then
    click OK.
    12. Select Component Services and then expand it. Then expand Computers.
    Right-click My Computer and select Properties.
    13. Select the COM Security tab.



    14. In the Access Permissions section, click Edit Limits....
    15. Click Add. Type the user name you wish to use in the Enter the object
    names to select box, click Check Names to verify your entry or entries, and
    then click OK.
    16. In the Permissions for User list, click the Allow check box next to the
    following permissions:
    Local Access
    Remote Access
    Click OK.



    17. In the Launch and Activation Permissions section, click Edit Limits....
    18. Click Add. Type the user name you wish to use in the Enter the object
    names to select box, click Check Names to verify your entry or entries, and
    then click OK.
    19. In the Permissions for User list, click the Allow check box next to the
    following permissions:
    Local Launch
    Remote Launch
    Local Activation
    Remote Activation
    Click OK twice.



    20. Expand My Computer and expand DCOM Config.
    21. Right-click Windows Management and Instrumentation and click Properties.



    22. Click the Security tab.
    23. In the Access Permissions section, click Edit....
    24. Click Add. Type the user name you wish to use in the Enter the object
    names to select box, click Check Names to verify your entry or entries, and
    then click OK.
    25. In the Permissions for User list, click the Allow check box next to the
    following permissions:
    Local Access
    Remote Access
    Click OK twice.



    26. Quit the Component Services snap-in.
    27. Restart the target computer.
     
    Eric Chatham, Aug 20, 2008
    #2
    1. Advertisements

  3. Eric Chatham

    Eric Chatham Guest

    Here are some other things I tried, that failed:

    Adding the service account to the "Log on as a service" on Domain Controller
    Policy. I also tried the "Act as part of the operating system" in the Domain
    Controller Policy. Do I need to be rebooting these domain controllers after
    I add them into the policy? I haven't, if so.
     
    Eric Chatham, Aug 20, 2008
    #3
  4. Eric Chatham

    Eric Chatham Guest

    I found out what was wrong. The script I had running in the scheduled task
    didn't have "write" permissions to the log directory. Isn't there a log file
    for Task Scheduler. I can't seem to find it.
     
    Eric Chatham, Aug 21, 2008
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.