This article lists the necessary steps required to configure Windows servers to allow remote PowerShell access for a non privileged user account. This is particularly useful when configuring GSX Monitor with an account that is not member of the Local Administrators group as the security settings need to be updated for Windows default PowerShell Endpoint, WMI default namespace and Windows Service Configuration Manager.
Instructions
We will go through four procedures:
1 - Allowing the user to access the remote PowerShell Windows Endpoint.
2 - Granting access to WMI Counters.
3 - Allowing Windows Service Configuration Manager Access.
4 - Finally, validating the remote PowerShell connectivity.
- Since the introduction of version 10.7.0, GSX Monitor uses PowerShell to collect Windows related statistics like performance counters, Windows Services status and disk space for increased stability and reliability.
- In this article, we concentrate exclusively on adjusting user rights settings.
- You will still need to comply with the monitored platform standard prerequisites listed in our online help.
- The changes listed in this article have to be applied on all monitored servers.
- As a workaround, you can use a Local Administrator account, especially from a “proof of concept” perspective or for testing.
1 - Allowing remote PowerShell Windows Endpoint access
- Open a PowerShell session as Administrator.
- Execute the following command to open the PowerShell Endpoint security windows:
- Set-PSSessionConfiguration -Name Microsoft.PowerShell -ShowSecurityDescriptorUI -Force
- Click Add.
- Select the desired user to include to the list.
- Enable Read and Execute permissions.
- Click OK to apply your change.
See http://blogs.msdn.com/b/powershell/archive/2009/11/23/you-don-t-have-to-be-an-administrator-to-run-remote-powershell-commands.aspx for details.
2 - Allowing WMI counters access
We need to allow the user to access to the WMI counters. First we will be adding the user account to the local group named Performance Log Users:
- Open the Computer Management console (compmgmt.msc).
- Go to Local Users and Groups.
- Expand Groups.
- Locate Performance Log Users group:
- Double-click on the group name to add the desired user to the Members list.
- Click OK to save the configuration.
Then we also need to adjust WMI Control settings to allow the user to have access.
- From the Computer Management console, expand Service and Applications.
- Right-click on WMI Control and then click Properties to access to WMI configuration.
- Open the Security tab.
- Select the \Root\CIMV2 namespace:
- Click on Security to choose which user or group will be granted access.
- In the Security dialog box, click Add.
- In the Select Users, Computers, or Groups dialog box, enter the name of the object (user or group) you want to add.
- Click OK.
- Click Advanced to open the Advanced Security Settings dialog box:
- On the Permissions tab, select the desired user in Permissions entries.
- Click Edit:
- Set Type to Allow, set Applies to to This namespace and subnamespaces, and select the Execute Methods, Enable Account and Remote Enable options:
- Click OK to close all windows and apply the changed settings.
See http://technet.microsoft.com/en-us/library/cc771551.aspx for more details.
3 - Allowing Windows Service Configuration Manager Access
We need to grant the user Windows Service Configuration Manager Access.
Run a Command Prompt as Administrator, andexecute the following command:
sc sdset SCMANAGER D:(A;;CCLCRPRC;;;AU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)
See http://support.microsoft.com/kb/907460/en-us for more details.
4 - Validating remote PowerShell connectivity
To validate remote PowerShell connectivity from the system that is running GSX Monitor, open a PowerShell console and enter the following commands:
-
$s = New-PSSession -ConfigurationName Microsoft.PowerShell -ConnectionUri http://YourServerName:5985/wsman -Credential Get-Credential -Authentication kerberos
-
Enter-PSSession $s
-
Get-Counter –listSet *
-
Get-WmiObject -Query "SELECT Name, Description, State, AcceptStop, AcceptPause FROM Win32_Service"
You should obtain the list of Windows Performance Counters and Services: