January 24, 2008, 1:17 PM — We've looked at using Windows Management Instrumentation Command-line (WMIC) for gathering information from computers running Microsoft
Windows. WMIC is a powerful tool that lets you query Windows Management Instrumentation (WMI) providers directly from the command line or using batch files, and if you're an administrator then it's well worth your while exploring its capabilities.
However, reader Richard Webb pinged me to point out that WMIC only works if
you are a local administrator, therefore "it's kind of a catch 22 to use
it to support users who don't normally have permissions for the command."
He makes a really good point. If your users aren't local administrators on their
computers, they won't be able to run WMIC commands on them. And if you're trying
to run WMIC commands remotely (i.e. against remote computers) then you need
to use a domain account that is a member of the local Administrators group on
the remote computer. With servers, that's usually no problem, but with client
computers, well, it's unlikely that (and would be very bad if) your domain Administrator
account is a member of the local Administrators group on every client computer
on your network!
(If you want to know how really, really bad doing the above would be, read
the terrific Chapter 13 "Managing Security Dependencies To Secure Your
Network" by security guru Jesper M. Johansson in the upcoming Windows Server
2008 Security Resource Kit from Microsoft Press.)
Richard makes a good point but it's mitigated by a couple of things. First,
the customer support scenario described in last week's tip involves unmanaged
computers, that is, a software company supporting customers who use their software.
In such a scenario, if the users are running Windows XP then they're very likely
already administrators on their machines, and if they're running Windows Vista
then they're probably admins as well, and can use Run As Admin to open a command
prompt they can run WMIC from.
If the user's computer is managed however (i.e. they belong to an Active Directory
domain and have Group Policy applied) and running Windows XP, then the user's
domain user account may or may not belong to the local Administrators group
on her machine. If it does belong, everything is OK. If not, a workaround would
be to have helpdesk offer Remote Assistance to the user. Once the offer is accepted,
helpdesk can then take control of the user's computer and run WMIC commands
on it to troubleshoot the issue.
If the users' computer is managed but running Vista however, there's a snag:
once helpdesk takes control of the machine and then tries to open an admin-level
command prompt, a UAC prompt will appear. Unfortunately with Vista RTM, only
the user can respond to this prompt as the UAC prompt isn't remoted to helpdesk.
With Service Pack 1 for Vista however, there's a new Group Policy setting in
Vista SP1 that solves this problem:
Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security
Options\User Account Control: Allow UIAccess Applications To Prompt For Elevation
Without Using The Secure Desktop
If you enable this policy in a GPO that applies to the user's computer, helpdesk
will be able to enter admin credentials to open an admin-level command prompt
on the user's computer and run WMIC commands as needed. For more information
about Remote Assistance in Windows Vista, see chapter 23 of the Vista Resource
Kit from Microsoft Press.
Thanks to everyone for the feedback and keep it coming!
