Server Management - Systems Insight Manager
1748255 Members
3940 Online
108760 Solutions
New Discussion

Re: Subscribing to WBEM events as Non-Administrative user (HP SIM)

 
SOLVED
Go to solution
PE_
Occasional Visitor

Subscribing to WBEM events as Non-Administrative user (HP SIM)

Hi,

 

Can anyone tell me what security permissions I need to set (on a managed Windows Server) to allow a non-admin user to create WBEM subscriptions in SIM (I am not talking about security for the HPQ WMI namespace - see below)?

 

The situation I have is as follows:

 

  • I am using a domain user (non-admin) to perform discovery in HP SIM
  • The domain user is configured with the required COM secuirty launch and activate permissions on the servers and with the required WMI permissions (set using the enableRWMI.exe tool as supplied with the HP WBEM providers)
  • The user does not and should not have administrative rights on the servers

 

With this configuration in place discovery works with no errors.

However when I attempt to Subscribe to WBEM events (within SIM) the create subscription task fails with the error:

 

           Cause: Unable to create a WBEM connection on the managed system

           Recommended Action: Check managed system credentials and reidentify

 

If I make the SIM user (domain user) a member of the local administrators group on the server then the task completes successfully and the subscription is created.

Once the subscription is created I can remove the admin rights and SIM continues to receive WBEM events as expected.

 

So my question is.....  What permissions do I need to set for the SIM user on the servers to allow the WBEM subscription to be created without the user being an administrator?

 

Note that the WMI namespace security for root\HPQ has been set.

 

All I have managed to ascertain so far is that in creating the subscription EventFilters are created under the root\HPQ namespace - however it seems that the namespace security does not apply here!??

 

Any help much appreciated,

Getting increasingly frustrated with the apparent oversight of this issue in the HP documentation.

(I.e. the documentation details how to discover as a non-admin but no mention of this issue).

 

P

 

7 REPLIES 7
shocko
Honored Contributor
Solution

Re: Subscribing to WBEM events as Non-Administrative user (HP SIM)

I ended up opening a support ticket with  HP about this as I got so frustrated with it!

 

You permissions are correct (in fact I normally  configure them using the command line tool included with the WBEM providers namely enableRWMI.exe) but the thing they don't mention is the subscription itself needs to be created with an admit account!

 

So, to achieve what you need, do the following:

  1. Run enableRWMI.exe and specify the non-admit account you wish to use
  2. In SIM, against the machine (s) you want to create subscription for set a WBEM credential using an admit account on those servers
  3. Run a full identification
  4. Create the subscriptions
  5. Go back into the system properties for those servers and change the account used for WBEM back to the non-admit

All should work fine now ;)

If my post was helpful please award me Kudos! or Points :)
PE_
Occasional Visitor

Re: Subscribing to WBEM events as Non-Administrative user (HP SIM)

Thank you for your reply / input.

 

This is exactly what I had resolted to doing as (what I hoped to be) a temporary workaround.  Looks like it will now be the final solution!

 

HP - It would be really nice if you could mention such shortcomings in the product documentation !

 

Regards,

Phil

shocko
Honored Contributor

Re: Subscribing to WBEM events as Non-Administrative user (HP SIM)

I agree. HP's documentation is lacking in this area. I was hoping it would be a temporary solution also as to do this process on 100+ machines is a bit painful :(

If my post was helpful please award me Kudos! or Points :)
pgarr
Frequent Advisor

Re: Subscribing to WBEM events as Non-Administrative user (HP SIM)

This is a paint but will have to do.

 

 

It appears to be someting 2008 specific, in my case I can get subs with non-admin on 2003 hosts but not 2008.

 

 

donteverstop
Advisor

Re: Subscribing to WBEM events as Non-Administrative user (HP SIM)

Havent used newest SIM or WBEM on 2008 - but the non-admin user will have to be a member of the "Distributed COM Users" group on the target server(s).

 

It might be that you specify the members of this group by GPO and he is therefore not added when you run the enablerwmi.exe-file.

 

 

pgarr
Frequent Advisor

Re: Subscribing to WBEM events as Non-Administrative user (HP SIM)

When I use the provided enableWMI tool, it does add the user to the D DCOM group successfully.  However in the case of 2008, all actions appear to only work if the users is admin on the machine.

 

Besides not being able to subscribe as a non-admin users, in my case I can only properly detect Hyper-V hosts if the identify   credentials are admin on the host.

 

To get subs working I did as specified above, I gave the service account admin on the hosts, ran identify, run subs successfully, then removed the account.   To my surprise it fixed another issue I was having, of not being able properly idenify hyper-V hosts but on the next daily idenityf, things went back to normal.  Subs however continue to work.

 

shocko
Honored Contributor

Re: Subscribing to WBEM events as Non-Administrative user (HP SIM)

The only was I have ever gotten these working is as stated above in my earlier post:

 

  1. Set WBEM credentials for the system either globally or against the individual system. This account must have admin rights on the target windows system
  2. Identify the system and ensure that WBEM is in the list of managed protocols
  3. Subscribe to the events
  4. Remove admin access if needed
If my post was helpful please award me Kudos! or Points :)