Windows OS user with minimum required user permissions

For local and remote monitoring within the same domain, the user who runs the AimBetter Agent service can have minimal permissions, as detailed in this document.

For remote monitoring within the same workgroup (different domain), the user must be defined as an administrator and have the same name and password in both the Agent and Monitored Servers.

1. Create and Set up the User Group (Domain User Required for Remote Monitoring)

• Creating a Domain User (For Remote monitoring, a domain user is required. You can use an existing user or create a new one.):
  • On the Active Directory (domain), create a new domain user (e.g., DOMAIN\AimBetterUser) with a strong password.
  • Configure it so password never expires and user does not have to change password at next logon.
• Add User to Required Groups on the Monitored Server:
  • For each monitored server, open Computer Management → Local Users and Groups → Users.
  • Double-click the user account you created (e.g., DOMAIN\AimBetterUser).
  • Go to the Member Of tab → Add → Advanced → Find Now.
  • Add the following groups:
    • Performance Monitor Users
    • Performance Log Users
  • Click OK to save the group membership.

2. Configure WMI permissions

For both local and remote monitoring, on the monitored server, run  wmimgmt.msc to open the Windows Management Instrumentation (WMI) Management Console

Right-click on WMI Control (Local) and select Properties.

In the Security tab, highlight Root, and click the Security button.

Add the created user and enable the options : Enable Account , Remote Enable , Read Security and Execute Methods.

Do the same with CIMV2, adding the created user and enabling the options : Enable Account , Remote Enable , Read Security and Execute Methods.

3. Configure COM Security

This configuration is necessary for remote monitoring and should be made on the monitored server.

1. Click Start, click Run, type DCOMCNFG, and then click OK.
2. In the Component Services dialog box, expand Component Services, expand Computers, right-click My Computer, and click Properties.
3. In the My Computer Properties dialog box, click the COM Security tab.
4. Under Access Permissions and Launch and Activation Permissions, click Edit Limits.
5. Add the user or groups (Performance Monitor Users, Performance Log Users, and Distributed COM Users) and allow remote access, remote launch, and remote activation.

4. Configure DCOM Security

This configuration is necessary for remote monitoring and should be made on the monitored server.

1. In the Component Services dialog, double click Computers | My Computer | DCOM Config | Windows Management and Instrumentation.
2. Right-click Windows Management and Instrumentation | Properties.
3. Click Security | Launch and Activation Permissions | Edit.
   1. Add the user or groups (Performance Monitor Users, Performance Log Users, and Distributed COM Users).
   2. Allow Remote Launch and Remote Activation.
   3. Click OK to close the Launch and Activation Permission dialog and save changes.
4. Click OK to close the Windows Management and Instrumentation Properties dialog and save changes.

5. Grant full control over C:\Program Files (x86)\AimBetter folder

The only full control (reading and writing permissions) needed for this user is over the C:\Program Files (x86)\AimBetter folder. This folder is created in the Agent server (where the AimBetter agent is installed).

You may create this folder before the Agent installation and grant full control exclusively over this folder.

6. Access Rights to the C:\PerfLogs Directory on the monitored server

• Write: To create the Server_Performance folder and its files.
• Read/Modify: To read performance data and update the files.

7. Firewall requirements

Check here about Firewall configuration on Windows servers – both Agent and Monitored servers.