8

i'm trying to find processes on 3 terminal servers which have certain words in its $_.commandline property. Under my domain admin account, it worked OK. But I want this script to be usable for domain users, and doamin users get an error when runing this script.

What should i do, so that domain users can run this script just like domain admins? Thanks in advance!

Error:

Get-WmiObject : Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESS DENIED))
At N:\FindWhoIsUsing\FindWhoIsUsing.ps1:7 char:18
get-wmiobject <<<<  win32_process -computername $server -EnableAllPrivileges|
CategoryInfo          : NotSpecified: (:) [Get-WmiObject], UnauthorizedAccessException
FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.PowerShell.Commands.GetWmiObjectCommand

Powershell Code:

Write-host "Who is using this profile?"
$profile = Read-host "specify profile name" 
$servers = @("server-01","server-02","server-03")
Foreach($server in $servers)
{
    Write-host $server
    get-wmiobject win32_process -computername $server -EnableAllPrivileges|
    where{$_.name -like "*Processname*" -and
    $_.CommandLine -like "*$profile*"}|
    select @{n="Server";e={$server}},@{n="User";e={$_.getowner().user}},@{n="ProcessID";e= {$_.ProcessID}},{$_.CommandLine}|fl
}
Write-host "DONE Searching!"
bookends
  • 131
  • 1
  • 2
  • 11
  • Domain users obviously lack all the privileges of that domain admins have, you will need to grant them the required access by adding them to the relevant groups. – Musaab Al-Okaidi Feb 19 '13 at 08:27
  • Yeah, I agree with you. But the question is, how?:) I certainly don't want to add all domain users into domain admins, right? There must be some place for WMI control specifically, but I don't know how to configure it. Actually I messed around in the wmimgmt.msc on the target servers a bit, but got no luck, maybe it's the right place but I just didn't do it right. – bookends Feb 19 '13 at 08:33

2 Answers2

16

Ok here are the steps:

  1. Launch "wmimgmt.msc"
  2. Right-click on "WMI Control (Local)" then select Properties
  3. Go to the "Security" tab and select "Security" then "Advanced" then "Add"
  4. Select the user name(s) or group(s) you want to grant access to the WMI and click ok
  5. Grant the required permissions, I recommend starting off by granting all permissions to ensure that access is given, then remove permissions later as necessary.
  6. Ensure the "Apply to" option is set to "This namespace and subnamespaces"
  7. Save and exit all prompts
  8. Add the user(s) or group(s) to the Local "Distributed COM Users" group. Note: The "Authenticated Users" and "Everyone" groups cannot be added here, so you can alternatively use the "Domain Users" group.
Musaab Al-Okaidi
  • 3,734
  • 22
  • 21
  • There're 4 groups there: admin's, authenticated users, local service and network service, which one's permission should be updated? – bookends Feb 19 '13 at 09:29
  • That should be the "authenticated users". You can also add the "Everyone" group. – Musaab Al-Okaidi Feb 19 '13 at 09:37
  • I added "everyone" there and toggled on all the "allow" checkboxes for it. I also made sure that the "Apply to" option is set to "This namespace and subnamespaces" for "everyone". I thought it should be enough for domain users, but it didn't work, the error just stayed the same... – bookends Feb 20 '13 at 08:24
  • 1
    Add the user(s) or group(s) to the Local "Distributed COM Users" group... this did the trick here! Although I'm not getting the result I want, I don't have the "Access Denied" error any longer. Thanks for the help! – bookends Feb 21 '13 at 05:39
0

In my case, I was connecting from a Domain server to a Workgroup server and needed to set a registry key:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\LocalAccountTokenFilterPolicy=1
Slogmeister Extraordinaire
  • 2,890
  • 2
  • 25
  • 39