The following minimum permissions are required for Windows assets to perform directory password management and sessions management tasks using Windows Management Instrumentation (WMI).
NOTE: Microsoft has started hardening DCOM servers which may change your configuration decisions. For more information, see https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26414 and https://support.microsoft.com/en-us/topic/kb5004442-manage-changes-for-windows-dcom-server-security-feature-bypass-cve-2021-26414-f1400b52-c141-43d2-941e-37ed901c769c.
Asset password management
Using a local account or domain account:
- (Only applies to Windows Desktop and Windows Server) Test connection, Check connection, Password check, and Account discovery tasks require the following permissions:
- Remote Enable permission on WMI's CIMV2 Namespace
- Enable Account permission on WMI's CIMV2 Namespace
-
Remote Activation permission on computer via DCOM.
To set Remote Enable and Enable Account permissions
- Open wmimgmt.msc.
- Right-click WMI Control (Local) and select Properties.
- Select the Security tab.
- Expand the Root node.
- Select the CIMV2 node.
- Click the Security button.
- Add user/group and select Remote Enable and Enable Account.
- Click OK.
To set Remote Activation permissions
- Open dcomcnfg.
- Expand Component Services > Computers.
- Right-click My Computer and select Properties.
- Open the COM Security tab.
- Under Launch and Activation Permissions, select Edit Limits.
- Add user/group and select Allow for Remote Activation.
- Click OK.
- Password change task requires the following permission:
- Member of Local Administrators group
Domain password management
Using a Domain account:
- Test connection, Check connection, Password check, and Account discovery tasks require the following permissions:
- Member of Domain Users
- Password change task requires that the Service account has the following delegated permissions:
- LockoutTime (Read/Write)
-
Account Restrictions (Read/Write)
-
Reset Password
Asset session access
Using a local account:
- Member of Remote Desktop Users group
- Defined in the "Allow log on through Remote Desktop Services" policy (directly or via group membership)
- Not defined in the "Deny log on through Remote Desktop Services" policy (directly or via group membership)
Using a Domain account:
- Defined in the Remote Desktop Users group or be a member of a domain security group by a group policy update to the Remote Desktop Users group for that asset
- Defined in the "Allow log on through Remote Desktop Services" policy (directly or via group membership)
- Not defined in the "Deny log on through Remote Desktop Services" policy (directly or via group membership)