Configuring Permissions to Remotely Access WMI
Veeam ONE collects data from Microsoft Windows machines using WMI. To make sure that Veeam ONE can collect data using WMI, the account under which you connect Microsoft Windows machines must have permissions to remotely access WMI.
Permissions to access WMI remotely must be granted on:
- Microsoft Hyper-V hosts and clusters
- Veeam Backup & Replication servers
To configure permissions for remote access to WMI:
- Grant permissions to remotely access root WMI namespace and sub-namespaces.
- Grant remote access, launch and activation permissions for DCOM application.
- Grant remote launch and activation permissions for WMI.
Tip: |
Instead of performing steps 2 and 3, you can add the user account to the Distributed COM Users group on target machines. |
Step 1. Grant Permissions to Remotely Access Root WMI Namespace and Sub-Namespaces
To grant to an account permissions for remote access to WMI:
- Log on to a target Microsoft Windows machine as an Administrator.
- Open the WMI Control Console.
To do so, choose Start > Run, type wmimgmt.msc and click OK.
- Right-click WMI Control and select Properties.
- In the WMI Control Properties window, open the Security tab.
- On the Security tab, select the Root namespace.
- Click Security.
- In the Security for Root window, add the necessary user account.
- Click Advanced.
- In the Advanced Security Settings for Root window, select the user account and click Edit.
- In the Permission Entry for Root window, do the following:
- In the Applies to list, select This namespace and subnamespaces.
- In the Permissions section, select Enable Account and Remote Enable.
- Click OK.
- In the Advanced Security Settings for Root window, click OK.
- In the Security for Root window, click OK.
- In the WMI Control Properties window, click OK.
- Close the WMI Control Console.
Step 2. Grant Remote Access, Launch and Activation Permissions for DCOM Application
To grant to an account remote access, launch and activation permissions:
- Open the Component Services Console.
To do so, choose Start > Run, type dcomcnfg and click OK.
- In the navigation tree, go to Component Services > Computers > My Computer.
- Right-click My Computer and select Properties.
- In the My Computer Properties window, open the COM Security tab.
- In the Access Permissions section, click Edit Limits.
- In the Access Permission window, add the necessary user account.
- Select the Remote Access permissions.
- Click OK.
- In the Launch and Activation Permissions section, click Edit Limits.
- In the Launch and Activation Permission window, add the necessary user account.
- Select the Remote Launch and Remote Activation permissions.
- Click OK.
- In the My Computer Properties window, click OK.
Step 3. Grant Remote Launch and Activation Permissions for WMI
To grant remote launch and activation permissions for WMI:
- Still in the Component Services Console, in the navigation tree, go to Component Services > Computers > My Computer > DCOM Config > Windows Management and Instrumentation.
- Right-click Windows Management and Instrumentation and select Properties.
- In the Windows Management and Instrumentation Properties window, open the Security tab.
- In the Launch and Activation Permissions section, click Edit.
- In the Launch and Activation Permission window, add the necessary user account.
- Select the Remote Launch and Remote Activation permissions.
- In the Launch and Activation Permission window, click OK.
- In the Windows Management and Instrumentation Properties window, click OK.
- Close the Component Services Console.
Alternative Methods of Configuring Permissions to Remotely Access WMI
As an alternative to the method described above, you can use a domain user account that is member of the local Administrators group on target Microsoft Windows machines. Administrators have all the required permissions by default.
You can also use a local Administrator account for connecting remote Microsoft Windows machines. However, this method will not work if remote machines have the User Account Control enabled.