In Powershell, how to check drive space on remote server with non-admin account?

Question

I work in an active directory environment with many servers. I have a user account that I would like to use to check the status of other servers, without giving this account full administrative access to these other servers. Specifically, I want to check the drive space on these servers, and I'd like to do it with Powershell.

I have executed Enable-PSRemoting on the target server, and I can successfully invoke Get-PSDrive on them remotely using administrator credentials. The results are returned almost immediately, and include information about the used / free space on all drives.

However, when I run the same command (Invoke-Command -computer remoteserver1 {Get-PSDrive -PSProvider FileSystem}) as the non-administrative user, the results come back very slowly (takes about 30 seconds), and none of the drives have any information about their used / free space.

What I have done so far:

• I have added the non-administrative user account to the Remote Management Users group on the target server.
• Edited SDDL for scmanager (on the target server) to add the same DiscretionaryACL for Remote Management Users as Built-in Administrators have.
• Per this post, I have granted this user WMI permissions in wmimgmt.exe > WIM Control (Local) > (right click) > Properties > Security tab > Expand 'Root' > click on SECURITY node > click 'Security' button > added non-admin user with full access.
• Added user to the Distributed COM Users group on the target server.

Some also suggested trying Invoke-Command -computer remoteserver1 {Get-WmiObject -Class Win32_MappedLogicalDisk} to troubleshoot, but it comes back 'Access is denied.' I believe if I could get Get-WmiObject working successfully for this limited user, it would solve my issue.

What should I do to get this limited user account the access they need to check drive space on other servers? without giving the account admin rights, and preferably without having to map and unmap any drives?

Answer 1

Very much appreciate the noted answer, but I wanted a little more consistency in my implementation and I finally stumbled across the older PowerShell DSC resource below, but I'm also adding what's necessary for the group membership. On WinSrv2019, I noticed PS remoting/Dcom access were set proper by default, so just this was needed.

*Updated this to specify inheritance through the "Children" parm. Unfortunately if you use this DSC resource, you have to remove the previous rule and recreate entirely for the "appliesto" setting to work.

1. Install DSC Resources

Install-Module -Name WmiNamespaceSecurity Install-Module -Name ComputerManagementDsc 

2. Import the reference in your DSC's code.

Import-DscResource -ModuleName WmiNamespaceSecurity Import-DscResource -ModuleName ComputerManagementDsc -ModuleVersion 9.0.0 

3. Configure with the recommended configuration from Baodad.

WmiNamespaceSecurity AddDcom { Path = 'root' Principal = "Builtin\Distributed COM Users" AppliesTo = 'Children' AccessType = 'Allow' Permission = 'Enable', 'MethodExecute', 'RemoteAccess' Ensure = 'Present' } Group "Distributed COM Users" { GroupName = "Distributed COM Users" Ensure = "Present" MembersToInclude = "Group_Or_User" } Group "Remote Management Users" { GroupName = "Remote Management Users" Ensure = "Present" MembersToInclude = "Group_Or_User" } 

Answer 2

To allow a non-administrative account to execute the necessary Powershell commands to return information about drive space on a remote server, complete the following steps (as a server/domain admin) on the target server.

1. Enable-PSRemoting - Google this if you need further explanation.

2. Click Start > Run..., type lusrmgr.msc and click OK

3. Click on the Groups folder.

4. Double-click on Remote Management Users group, and add the non-admin user account. Click OK.

5. Double-click on Distributed COM Users group, and add the non-admin user account. Click OK.

Configure DCOM security settings

7. Click Start > Run..., type dcomcnfg and click OK

8. Drill down into the "Component Services" tree until you get to "My Computer". Right-click "My Computer" to bring up the menu, and click Properties.

9. Click the COM Security tab.

10. Click Edit Limits in the "Access Permissions" section. Make sure "Distributed COM Users" group has boxes checked for both Local Access and Remote Access. Click OK.

11. Click Edit Limits in the "Launch and Activation Permissions" section. Make sure all four 'Allow' boxes are checked for "Distributed COM Users" group. Click OK.

Configure WMI Control security settings.

15. Click Start > Run..., type wmimgmt.msc and click OK.

16. Right-click WMI Control (Local) to bring up the menu, and click Properties.

17. Click on the Security tab, then click Root, and click the Security button at the bottom of the dialog.

18. Click Add... and add the local Distributed COM Users group.

19. Click Advanced.

20. Highlight the row with Distributed COM Users in it and click 'Edit' button.

21. From the "Applies to" drop-down list, select "This namespace and subnamespaces"

22. Under the Allow column check "Execute Methods", "Enable Account", and "Remote Enable"

23. Click OK to exit out of dialog windows.

(26.) Restart the WinRM (Windows Remote Management) service

Please comment below if you have any feedback about security concerns, or how to improve least privilege access.

Hat tip to this link for guidance: https://helpdesk.kaseya.com/hc/en-gb/articles/229043428-Configuring-a-regular-non-admin-user-account-for-WMI-monitoring