Windows OS user with minimum required user permissions

For local and remote monitoring within the same domain, the user who runs the AimBetter Agent service can have minimal permissions, as detailed in this document.

For remote monitoring within the same workgroup (different domain), the user must be defined as an administrator and have the same name and password in both the Agent and Monitored Servers.

1. Create and Set up the Domain User (Required for Remote Monitoring)

For remote monitoring, a domain user is required. You can use an existing user or create a new one.

Steps to create the user:

• On the Domain Controller, open Active Directory Users and Computers.
• Right-click the desired OU → New → User. (OU = Organizational Unit – this is a folder/container where you want to create the user. Common choices are the default “Users” container or a dedicated OU like “Service Accounts”.)
• Create a new user (example: DOMAIN\AimBetterUser) with a strong password.
• On the Account tab, select Password never expires. (else, the user will have to change the password at the next logon.)
• Click OK.

2. Add User to Required Local Groups on Each Monitored Server

• On each monitored server, open Computer Management → Local Users and Groups → Users. Double-click the user (DOMAIN\AimBetterUser). Go to Member Of tab → Add → Advanced → Find Now. Add the following groups:
  • Performance Monitor Users
  • Performance Log Users
• Click OK.

3. Grant “Log on as a service” Right (Required on the Agent Server)

The AimBetter Agent runs as a Windows Service. The user account must have the “Log on as a service” user right on the server where the Agent is installed.

How to grant the permission:

• On the Agent Server, press Win + R, type secpol.msc and press Enter.
• Navigate to: Security Settings → Local Policies → User Rights Assignment.
• Double-click Log on as a service.
• Click Add User or Group.
• Enter the user (DOMAIN\AimBetterUser) → Check Names → OK.
• Click OK to save.

Tip: In domain environments, it is recommended to assign this right via Group Policy for consistency.

4. Configure WMI permissions (on each Monitored Server)

• On each monitored server, run  wmimgmt.msc to open the Windows Management Instrumentation (WMI) Management Console

• Right-click on WMI Control (Local) and select Properties.

• In the Security tab, highlight Root, and click the Security button.

• Add the created user and enable the options : 
  • Enable Account 
  • Remote Enable
  • Read Security
  • Execute Methods.

• Repeat the same steps for Root\CIMV2, adding the created user and enabling the options : Enable Account , Remote Enable , Read Security and Execute Methods.

5. Configure COM Security (on each Monitored Server)

This configuration is necessary for remote monitoring and should be made on the monitored server.

1. Click Start, click Run, type DCOMCNFG, and then click OK.
2. In the Component Services dialog box, expand Component Services, expand Computers, right-click My Computer, and click Properties.
3. In the My Computer Properties dialog box, click the COM Security tab.
4. Under Access Permissions and Launch and Activation Permissions, click Edit Limits.
5. Add the user or groups (Performance Monitor Users, Performance Log Users, and Distributed COM Users) and allow remote access, remote launch, and remote activation.

6. Configure DCOM Security for WMI (on each Monitored Server)

This configuration is necessary for remote monitoring and should be made on the monitored server.

1. In the Component Services dialog, double click Computers | My Computer | DCOM Config | Windows Management and Instrumentation.
2. Right-click Windows Management and Instrumentation | Properties.
3. Click Security | Launch and Activation Permissions | Edit.
   1. Add the user or groups (Performance Monitor Users, Performance Log Users, and Distributed COM Users).
   2. Allow Remote Launch and Remote Activation.
   3. Click OK to close the Launch and Activation Permission dialog and save changes.
4. Click OK to close the Windows Management and Instrumentation Properties dialog and save changes.

7. Grant full control over C:\Program Files (x86)\AimBetter folder (on the Agent Server)

The AimBetter Agent only needs Full Control on its own installation folder: C:\Program Files (x86)\AimBetter. This folder is created in the Agent server (where the AimBetter agent is installed).

You may create this folder before the Agent installation and grant it full control exclusively.

How to grant permissions:

• On the Agent Server, open File Explorer and go to C:\Program Files (x86).
• Right-click the AimBetter folder (create it manually if it doesn’t exist yet) → Properties → Security tab.
• Click Edit → Add.
• Enter the user (DOMAIN\AimBetterUser) → Check Names → OK.
• Select the user and check Full control.
• (Recommended) Click Advanced → check Replace all child object permission entries… → Apply.
• Click Apply → OK.

8. Grant Permissions to C:\PerfLogs (on each Monitored Server)

• Write: To create the Server_Performance folder and its files.
• Read/Modify: To read performance data and update the files.

How to grant Permissions:

• Open File Explorer and navigate to: C:\PerfLogs
• Right-click the folder → Properties → Security tab
• Click Edit… to modify permissions.
• If the SERVICE principal is not listed:
• Click Add…
• Type SERVICE → Check Names → OK
• Select SERVICE and grant the following permissions:
  • Write → create folders/files
  • Read / Modify → read performance data and update files
• Click Apply → OK
• Restart the AimBetter Agent service (or the server, if needed)

9. Firewall requirements

Configure the Windows Firewall on the Agent Server (and Monitored Servers where required).

Applications to allow:

• Performance Logs and Alerts (Domain)
• Windows Management Instrumentation (WMI) (Domain)
• Windows Performance Adapter (Domain, Private, and Public)
• Windows Remote Management (Domain, Private, Public)

Read about Firewall configuration on Windows servers – both Agent and Monitored servers. 

Also, enable the necessary inbound rules for WMI (port 135 + dynamic RPC ports) and WinRM if required.