To collect Windows metrics (WMI and Performance Counters), a Windows account is required, preferably an Active Directory (AD) account. If a SQL account is used for collection, WMI and Performance metrics will not be collected, and costing information cannot be calculated. WISdom does not support splitting credentials for the same instance and host (e.g., SQL Auth for the SQL instance and a Windows account for WMI).
Permissions Required on Windows Targets
The collection account requires specific permissions on every Windows server it monitors.
Least Privilege Configuration (Recommended)
Modern Windows operating systems require explicit group memberships and WMI namespace permissions for remote data collection. Configure the following on each monitored Windows server:
Group Memberships
| Group | Purpose | Where to Configure |
|---|---|---|
| Performance Monitor Users | Required to collect Performance Counter data | Computer Management › Local Users and Groups › Groups › Performance Monitor Users |
| Distributed COM Users | Enables remote activation of COM objects for WMI collection | Computer Management › Local Users and Groups › Groups › Distributed COM Users |
| Remote Management Users | Allows remote management tasks for monitoring | Computer Management › Local Users and Groups › Groups › Remote Management Users |
WMI Namespace Security (root\CIMV2)
Explicit WMI namespace permissions are required in addition to group memberships. Follow these steps on each monitored server:
- Open
wmimgmt.msc. - Right-click WMI Control (Local) and select Properties.
- Click the Security tab.
- Expand Root and select CIMV2, then click the Security button.
- Click Add. Change the location to the local computer, then either add the Remote Management Users group or the WISdom Service Account.
- Under Allow, check Enable Account and Remote Enable. Click OK.
In older versions of Windows Server, adding the collection account to the Local Administrators group was the standard approach and implicitly granted all required WMI, DCOM, and Performance Counter permissions. Microsoft's current security guidance discourages broad Local Administrator access. The least-privilege configuration above is the recommended approach for all new deployments and should be used when hardening existing environments.
Testing and Troubleshooting Windows Connectivity
The ability of the collection account to connect to target Windows hosts may be tested with the following methods. The collection account credentials must either be passed via a script or the application must be run under the collection account.
Perfmon
Perfmon is available on all Windows machines but must be run as the collection account.
- Locate the perfmon program, typically:
C:\WINDOWS\system32 - [SHIFT]-right-click the application and select "Run as Different User"
- Run Performance Monitor, click the green + sign, and enter
\ServerName\to connect to the target host. - Add a counter to confirm it is successfully added and displayed.
WBEMtest
This utility is installed on all Windows machines and can be found in C:\Windows\System32\wbem.
- Run WBEMtest as the collection account: [SHIFT]-right-click and select "Run as Different User"
- Click the [Connect] button.
- Enter
\ServerName\root\cimv2in the Namespace field. - Click [Connect].
- Select the [Query] button to open a WQL query window.
- Enter the query:
select * from Win32_Process - Click [Apply]. The list of processes running on the host will be displayed if successful.
PowerShell
Either powershell.exe or powershell_ise.exe may be used. Executables are typically found in C:\WINDOWS\system32\WindowsPowerShell\v1.0.
Run the executable as the collection account, or pass the Windows account credentials via the script. Then run:
Get-WmiObject -query "SELECT * FROM Win32_OperatingSystem" -ComputerName <ComputerName>