Articles in this section

How do I configure and troubleshoot WinRM?

Avatar
Stuart Hill
  • Updated
Follow

Applicable to Entuity v19.0 upwards

 

To configure WinRM

To configure WinRM access as a non-admin user

User must be able to access WinRM and WMI services from the remote servers
User must be a member of the 'Performance Monitor Users' group
User must have access entry to the SDDL for Service Control Manager

Troubleshooting Windows OS monitoring

 

 

To configure WinRM:

Entuity v19.0 upwards supports monitoring for Windows servers via WinRM. Before you can monitor Windows servers, you must configure WinRM on the server for remote management. Please see below for details on how to configure WinRM.

  1. The WinRM service must be running on the Windows server that is to be monitored/discovered. Default installations of Microsoft Windows Server 2012 and above come with the WinRM service running by default, and so in this case no extra steps are needed.
    • If the server is running a different Windows OS version, or a non-default configuration, the following command can be used to configure the server for remote management (note, this requires administrative privileges):

      winrm quickconfig

  2. You must ensure that the WinRM service is not blocked by a firewall and therefore is remote accessible. By default, WinRM uses port 5985, which needs to be open. If WinRM is configured to use a non-default port, then this port needs to be open. Note, Entuity can use the non-default port.
  3. You must ensure that a user account with appropriate privileges is used on the Windows server. The user account must be part of the local administrators group on the managed server. Entuity uses Microsoft's negotiate authentication method, allowing Entuity to manage Windows machines that are either part of the domain or not. You can use the following username formats to do so:
    • to manage a Windows OS that is part of the domain, use <domain>\<user> format, e.g. 'mydomain\username'
    • to manage a Windows OS that is not part of the domain, use just the username, e.g. 'Administrator'

 

 

To configure WinRM access as a non-admin user:

The following permissions are required to set up WinRM access as a non-admin user:

 

User must be able to access WinRM and WMI services from the remote servers:

WMI is a management framework that delegates management queries to various Windows subsystems. Calls to these subsystems are made on behalf of the authenticated user account, meaning that a user account must have the corresponding permissions for using those subsystems.

To allow remote management and WMI usage, you must perform the following steps:

  1. Using lusrmgr.msc, add the user to the built-in 'Remote Management Users' group.
  2. Using wmimgmt.msc, allow the user to access all WMI namespaces:
    1. Right-click WMI Control (Local) to bring up the menu, and then click Properties.
    2. Click the Security tab, then click Root, then click Security.
    3. Click Add.
    4. Under 'Enter the object names to select', type 'Remote Management Users'. Click Check Names, then click OK. Note, here we are selecting the group that will have access to all WMI namespaces. If you do not want to give WMI access to all members of the 'Remote Management Users' group, choose another user group to which the management account belongs.
    5. Ensure the group chosen above is selected and click Advanced.
    6. Highlight the row with the above group and click Edit.
    7. From the Applies to dropdown list, select 'This namespace and subnamespaces'.
    8. Under the Allow column, check Execute Methods, Enable Account and Remote Enable, then click OK.
    9. Click OK to close all windows.

 

User must be a member of the 'Performance Monitor Users' group:

Using lusrmgr.msc, add the user to the built-in 'Performance Monitor Users' group.

 

User must have access entry to the SDDL for Service Control Manager:

To allow access to the service control manager:

  1. Open command prompt in Administrator mode.
  2. Obtain and take note of the SID of the user by using 'wmic useraccount where name="UserName" get name,sid'.
  3. Output the existing SDDL, which you will need to adjust by using 'sc sdshow scmanager'. The output will be similar to the below (note the 'S:' in the SDDL - you will be adding new text immediately before it):

    D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;CC;;;AC)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)

  4. Create a new SDDL snippet that is to be inserted into the original SDDL obtained in Step 3 above. The content of the snippet is:

    (A;;CCLCRPWPRC;;;<SID of User>)

    You need to replace <SID of User> with the SID obtained in Step 2 above. After replacement, the snippet will look similar to the following:

    (A;;CCLCRPWPRC;;;S-1-0-10-200000-30000000000-4000000000-500)

  5. Place the above snippet immediately before 'S:' of the original SDDL obtained. This will look similar to the following:

    D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;CC;;;AC)(A;;CCLCRPWPRC;;;S-1-0-10-200000-30000000000-4000000000-500)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)

  6. Update the service manager SDDL:

    sc sdset scmanager <SDDL from Step 5>

 

 

Troubleshooting Windows OS monitoring:

In some cases, errors may be caused by the WMI performance metrics database being out of sync. To resolve this issue, follow the below instructions:

  1. Log in to the affected server.
  2. From the command line (run as Administrator), issue the following commands:

    cd %windir%\system32\
    lodctr /R
    cd %windir%\sysWOW64\
    lodctr /R

Related articles

Comments

0 comments

Please sign in to leave a comment.