0

i created a user and added it to administrators group. when i open powershell normally ( not as administrator ) and type get-wmiobject, i get access denied. what i done

  1. ran wmi control, added user specifically and granted full access

enter image description here

  1. added user to Distributed COM users and granted full permissions

enter image description here

  1. opened GPO and added user to Local Sec policy > Computer Configuration > Windows Settings > Security Settings > Local policies > Security Options > DCOM: Machine Access Restrictions in Security Descriptor Definition Language syntax

enter image description here

when i open PowerShell as admin, type get-wmiobject -namespace root\wmi -class Lenovo firmware setting ( can be any that requires elevation ) , it works. then while session is active, it works when PowerShell is run without administrative access.

What am I missing so I can call wmi without elevating the console?

Improve this question
6
  • Each individual WMI namespace also has security restrictions: learn.microsoft.com/en-us/windows/win32/wmisdk/… . Depending on the WMI class/method, it might need to access resources like registry keys which can have their own access controls, so it's difficult or impossible unless you only need one specific thing. What are you trying to solve by not elevating the console?
    – Cpt.Whale
    Commented Dec 6, 2023 at 18:55
  • its very specific case. i just want to call following query get-wmiobject -namespace root\wmi -class Lenovo_biossetting to enumerate bios settings via script automatically. its not a huge problem, i just wanted to know if that is possible
    – Daniel Kusnir
    Commented Dec 6, 2023 at 19:04
  • How are you launching the script? For example, using Task Scheduler as that account, you can just enable "Run with highest privileges" to launch your script in an elevated process. Since that user is part of the administrators group, it should be doable in whatever tool you're using.
    – Cpt.Whale
    Commented Dec 6, 2023 at 19:33
  • I don't have a Lenovo PC to test with, so it's hard to say whether it's possible to convince windows to read from the bios without elevating your permissions, but I would say it's very unlikely
    – Cpt.Whale
    Commented Dec 6, 2023 at 19:35
  • most likely you are right. i was just curious why it works when script / query is executed with elevation first and then , you can just run it without elevation. also i was under the impression that given full access to WMI will allow at least read access. i will need to check how this WMI class is secured.
    – Daniel Kusnir
    Commented Dec 6, 2023 at 19:54

0

Reset to default

You must log in to answer this question.

Browse other questions tagged .