Understanding WMI Security

WMI benefits from the operating system's security in two ways:

  • The operating system security can prevent unauthorized access to WMI.

  • Anything that you can access from WMI can only be used directly from the operating system. For example, when you run a script to create shares through WMI, you can only create shares that you are authorized to create through Windows Explorer.

WMI also has its own layer of security. Prior to WMI version 1.5, which shipped with Windows 2000, WMI security only controlled who could access and manage WMI. Anyone that could access or manage part of WMI could access all of it. With version 1.5 and later, WMI security is controlled at the namespace level. For example, you can allow some administrators to obtain SQL Server details from WMI by using the SQL Server namespace and allow other administrators obtain Microsoft Exchange details by using the Exchange namespace.

WMI security is controlled by using WMI Control or Wbemperm.exe, as described in the "Using WMI Management Tools" section earlier in this appendix. Users with administrator privileges on the computer do not have to be added to WMI security - they always have full access to WMI.

For More Information

Did you find this information useful? Please send your suggestions and comments about the documentation to smsdocs@microsoft.com.