The following minimum permissions are required for Windows assets to perform directory password management and sessions management tasks using Windows Management Instrumentation (WMI).

NOTE: Microsoft has started hardening DCOM servers which may change your configuration decisions. For more information, see https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26414 and https://support.microsoft.com/en-us/topic/kb5004442-manage-changes-for-windows-dcom-server-security-feature-bypass-cve-2021-26414-f1400b52-c141-43d2-941e-37ed901c769c.

Asset password management

Using a local account or domain account:

  • (Only applies to Windows Desktop and Windows Server) Test connection, Check connection, Password check, and Account discovery tasks require the following permissions:
    • Remote Enable permission on WMI's CIMV2 Namespace
    • Enable Account permission on WMI's CIMV2 Namespace

    • Remote Activation permission on computer via DCOM.

      To set Remote Enable and Enable Account permissions

      1. Open wmimgmt.msc.
      2. Right-click WMI Control (Local) and select Properties.
      3. Select the Security tab.
      4. Expand the Root node.
      5. Select the CIMV2 node.
      6. Click the Security button.
      7. Add user/group and select Remote Enable and Enable Account.
      8. Click OK.

      To set Remote Activation permissions

      1. Open dcomcnfg.
      2. Expand Component Services > Computers.
      3. Right-click My Computer and select Properties.
      4. Open the COM Security tab.
      5. Under Launch and Activation Permissions, select Edit Limits.
      6. Add user/group and select Allow for Remote Activation.
      7. Click OK.
  • Password change task requires the following permission:
    • Member of Local Administrators group
Domain password management

Using a Domain account:

  • Test connection, Check connection, Password check, and Account discovery tasks require the following permissions:
    • Member of Domain Users
  • Password change task requires that the Service account has the following delegated permissions:
    • LockoutTime (Read/Write)

    • Account Restrictions (Read/Write)

    • Reset Password

Asset session access

Using a local account:

  • Member of Remote Desktop Users group
  • Defined in the "Allow log on through Remote Desktop Services" policy (directly or via group membership)
  • Not defined in the "Deny log on through Remote Desktop Services" policy (directly or via group membership)

Using a Domain account:

  • Defined in the Remote Desktop Users group or be a member of a domain security group by a group policy update to the Remote Desktop Users group for that asset
  • Defined in the "Allow log on through Remote Desktop Services" policy (directly or via group membership)
  • Not defined in the "Deny log on through Remote Desktop Services" policy (directly or via group membership)