Spiceworks minus Administrator

How to set up an account to scan Windows devices from Spiceworks without administrator level rights.

Step 1: Create a group which can be used to grant access to WMI

WMI permissions may be set using the WMI Control option in Computer Management. Alternatively the script below can be used to create the group and assign permissions.

Access is granted to the root namespace and all sub-namespaces.

# Create an enumeration to make AccessMask values human-readable.
Add-Type @"
using System;

namespace WmiSecurity 
{
    [FlagsAttribute]
    public enum AccessRight : int
    {
        Enable          = 1,
        Execute         = 2,
        FullWriteRep    = 4,
        PartialWriteRep = 8,
        WriteProvider   = 16,
        RemoteAccess    = 32,
        Subscribe       = 64,
        Publish         = 128,
        ReadControl     = 131072,
        WriteDAC        = 262144
    }
}
"@

# Connect to the WinNT provider
$localMachine = [ADSI]'WinNT://localhost'

# Check for the group
$group = $localMachine.PsBase.Children | Where-Object { $_.Class -eq 'group' -and $_.Name -eq 'WMI Users' }

# If the group does not exist
if (-not $group) {
    # Create the group and set a description
    $group = $localMachine.Create("group", "WMI Users")
    $group.Put("description", "Members of this group can access WMI remotely.")
    $group.SetInfo()

    # Get the SID for the new group
    $group = Get-CimInstance Win32_Account -Filter "Domain='$($env:COMPUTERNAME)' and Name='WMI Users'"

    # Create a trustee to use with a Access Control Entry
    $trustee = New-CimInstance (Get-CimClass Win32_Trustee) -ClientOnly
    $trustee.Name = $group.Name
    $trustee.Domain = $group.Domain
    $trustee.SIDString = $group.SID

    # Create an Access Control Entry
    $ace = New-CimInstance (Get-CimClass Win32_ACE) -ClientOnly

    # Set the Access Control Entry parameters and trustee
    $ace.ACEFlags = [Security.AccessControl.InheritanceFlags]"ObjectInherit"
    $ace.AccessMask = [WmiSecurity.AccessRight]"Enable, RemoteAccess, ReadControl"
    $ace.ACEType = [Security.AccessControl.AccessControlType]"Allow"
    $ace.Trustee = $trustee

    # Extract the current security descriptor for the root WMI namespace.
    $security = Get-CimInstance __SystemSecurity –Namespace root\cimv2
    $descriptor = $security |
        Invoke-CimMethod -MethodName GetSecurityDescriptor |
        Select-Object -ExpandProperty Descriptor

    # Add the new Access Control Entry to the Discretionary Access Control List
    $descriptor.DACL += $ace

    # Apply the changes
    $security | Invoke-CimMethod -MethodName SetSecurityDescriptor -Arguments @{
        Descriptor = $descriptor
    }
}

Step 2: Create a service account and add it to a few groups

The service account does not require administrative privileges, but it does need to be a member of a number of machine-local groups.

Restricted groups would be a useful way to setting appropriate group membership for the service account.

Once complete the service account should be able to poll Windows hosts for information and counters without the too-often recommended need for it to be an administrator.