GPO: Domain Prep For Monitoring

1 minute read

Description:

This GPO is used to when you want to setup a monitoring application like PRTG Network Monitor, Spiceworks, or Zabbix. It essentially opens the ports for domain joined computers to where you can query them remotely.

To Resolve:

  1. Remote into the Domain Controller and open up Group Policy Managment.

  2. Navigate to Forest:ForestName – Domains – (YourDomainName). Right click on your domain name and choose the options to “Create a GPO and link it here”. Call it “WMIPermissions”.

  3. Right Click WMIPermissions in the list and choose “edit”.

  4. Navigate to: Computer Configuration – Policies – Windows Settings – Security Settings – Local Policies – Security Options.

  5. On the right, click on “DCOM: Machine Access Restrictions in Security Descriptor…” and open it up. Check the box for “Define this setting” and click on the “edit security” button.

  6. Click “Add” and add the domain admin credentials. OK. In the “group or user names” select the domain admin. In the permissions for Administrators field, ensure there is a checkmark in Allow for “remote access”. OK. OK.

  7. On the right, click on “DCOM: Machine Launch Restrictions in Security Descriptor…” and open it up. Check the box for “Define this setting” and click on the “edit security” button.

  8. Click “Add” and add the domain admin credentials. OK. In the “group or user names” select the domain admin. In the permissions for Administrators field, ensure there is a checkmark in Allow for “remote launch” and “remote activation”. OK. OK.

  9. This may not be necessary, but I also go to: Computer Config – Policies – Windows Settings – Security Settings – Windows Firewall with Advanced Security – Windows Firewall with Advanced Security – Inbound Rules node.

  10. Right click on the right UI – New Rule – Predefined Option – WMI – Check all – Allow the connection.

  11. Now navigate to: Computer Configuration – Administrative Templates – Network – Network Connections – Windows Firewall – Domain Profile. Enable:

  • Windows Firewall: Enable remote administration
  • Windows Firewall: All ICMP exceptions – check all the options.
  1. Close out of everything and wait for the domain policy to replicate (usually about 15 minutes). You can run “gpupdate /force” and then “gpresult /r” on the clients to make sure the settings applied.

References:

http://serverfault.com/questions/262590/is-there-a-way-to-set-access-to-wmi-using-grouppolicy
https://community.spiceworks.com/how_to/17452-group-policy-to-allow-wmi-access-to-remote-machine
http://infrasightlabs.com/setting-wmi-access-ad-gpo