Remote WMI Access on Domain Controllers - account not admin


I am involved in a project where we are using Pester Tests to validate a system health of Domain Controllers.

I am working on the WMI method (as WinRM has still got limited usage over here in NZ) to query the Domain Controller for system information.

However there is a caveat. That is the account that will be running the test will preferably be not an admin account. We don’t have local administrator accounts on the Domain Controllers so I was wondering if anyone has any creative ideas on how to run the tests successfully? Any help most appreciated.


Wei-Yen Tan

You’ve only got two choices. WMI by default only allows remote queries from members of the local Administrators group. So the user either needs to be in that group, or you’ve got to re-permission WMI - which Microsoft doesn’t really recommend. There’s not really a ‘creative’ way around security.

Thank you Don for the reply.

If we were to somehow be able to use WinRM would JEA be a suitable choice? This is just a question out of curiousity.

Yeah. You could set up an endpoint to “run as” an authorized user, and then lock down who could connect to the endpoint. And you don’t need JEA per se; you can set that up manually. The JEA Toolkit is really just an easier way of running the necessary commands. “Secrets of PowerShell Remoting” talks about manually creating this kind of endpoint.