Managing WMI security

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Managing WMI security

Windows Management Instrumentation (WMI) supports a limited form of security that validates each user before the user is allowed to connect to WMI, on either the local computer or a remote computer. This security is layered on top of the operating system security. WMI does not override or circumvent security provided by the operating system.

By default, all members of the Administrators group have full control of the WMI services on the managed computer. All others have read/write/execute permissions on their local computer only.

Permissions can be changed by adding a user to the Administrators group on the managed computer or by authorizing users or groups in WMI and setting their permission level. Access is based on WMI namespaces.

On computers running Microsoft Windows 95, Windows 98, or Windows Millennium Edition (ME), all users have full control locally. However, permissions can be set for users managing a Windows 95, Windows 98, or Windows ME computer remotely.

Security is checked only when a user connects to the Windows Management service. Thus, any changes made to a user's permissions while the user is connected do not take effect until the next time the user starts a WMI service. For example, if a user's access is revoked, the changes do not take effect until the user exits from WMI and attempts to connect to the service again.

For more information, see Modify permissions or delete authorized users.