1. Home
  2. Settings
  3. Windows OS Settings
  4. Windows OS user with minimum required user permissions
  1. Home
  2. Settings
  3. Windows OS user with minimum required user permissions

Windows OS user with minimum required user permissions

In some environments it may not be feasible for AimBetter to connect to the Windows server with an account that is a member of the Administrators group.

In these cases, you may use any Windows OS user and define minimal permissions.

This user must be, at least, a member of the groups Performance Monitor Users and Performance Log Users  and have some specific permissions as detailed in this document.

1. Set up user’s groups

  1. Check Control Panel | Administrative Tools | Computer Management
  2. Double click Local Users and Groups | Users.
  3. Double click on the user name (for example, “Guest” in the following image)
  4. Go to the Member of tab
  5. Click on Add | Advanced | Find Now
  6. Double click the following groups: Performance Monitor Users and Performance Log Users

2. Configure WMI permissions

Under Services and Applications, bring up the properties dialog of WMI Control (or run wmimgmt.msc). In the Security tab, highlight ROOT, click Security: add Performance Monitor Users and enable the options : Enable Account , Remote Enable , Read Security and Execute Methods.

If the “Execute Methods” option is not enabled, the only impact will be in case the WMI stops running properly. In this case, you can manually kill the AimBetter process and restart the WMI.

3. Configure COM Security

  1. Click Start, click Run, type DCOMCNFG, and then click OK.
  2. In the Component Services dialog box, expand Component Services, expand Computers, and then right-click My Computer and click Properties.
  3. In the My Computer Properties dialog box, click the COM Security tab.
  4. Under Access Permissions and Launch and Activation Permissions , click Edit Limits.
  5. Add Performance Monitor Users and allow remote access, remote launch, and remote activation.

4. Configure DCOM Security

  1. From the Component Services dialog double click Computers | My Computer | DCOM Config | Windows Management and Instrumentation.
  2. Right click Windows Management and Instrumentation | Properties.
  3. Click Security | Launch and Activation Permissions | Edit.
    1. Add the Performance Monitor Users group.
    2. Allow Remote Launch and Remote Activation.
    3. Click OK to close the Launch and Activation Permission dialog and save changes.
  4. Click OK to close the Windows Management and Instrumentation Properties dialog and save changes.

5. Grant permissions to get information about services

Retrieve the user SID

Retrieve the user SID From the Windows command prompt, type powershell and click Enter to open the Powershell.

Run the following command to retrieve the user SID of the Aimbetter User. Replace domainName and userName with the domain name and user name for the Aimbetter User account.

[wmi]"win32_useraccount.domain='domainName',name='userName'"
Retrieve the current SDDL for the Services Control Manager

From the Windows command prompt, run the following command to retrieve the current SDDL for the Services Control Manager. The SDDL is saved in the file called file.txt.

sc sdshow scmanager > file.txt

The SDDL looks something like this. For more information see Microsoft KB914392.

D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)
Modify the SDDL

Copy the section of the SDDL that ends in IU (Interactive Users). This section is one complete bracketed clause ie (A;;CCLCRPRC;;;IU). Paste this clause directly after the clause you copied from.

In the new text, replace IU with the user SID of the Aimbetter User.

The new SDDL looks something like the following:

D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU) (A;;CCLCRPRC;;;S-1-5-21-214A909598-1293495619-13Z157935-75714)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA) S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)
Set the security credentials for accessing the Service Control Manager

The sdset command on sc sets the security credentials for accessing the Service Control Manager (scmanager). Note the permissions on scmanager are being replaced. Setting security credentials is not additive. That’s why we needed to copy the existing permissions.

sc sdset scmanager "D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;CCLCRPRC;;;S-1-5-21-214A909598-1293495619-13Z157935-75714)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)"

6. Grant full control over C:\Program Files (x86)\AimBetter folder

The only full control (reading and writing permissions) needed for this user is over the C:\Program Files (x86)\AimBetter folder.

You may create this folder before the Agent installation and grant full control exclusively over this folder.

Was this article helpful?
Yes No