Most of the Computer Management Tools (CMT) require the Windows Management Instrumentation (WMI) interface to be configured and enabled on your clients, and for the OVERLAPS server to have permission to access it.
If you don’t wish to use the tools which make use of WMI (everything except the Ping tool), then you can ignore this section.
The easiest way to configure WMI is by adding the OVERLAPS server’s computer account to the Local Administrators group of the computers it needs to manage.
Alternatively, to setup the precise permissions manually, follow the below guide. Most of these settings are configured in Group Policy except for the first, which must be done on each computer.
WMI Namespace Permissions (locally on each computer)
- On the computer to be managed, run wmimgmt.msc in a command prompt
- Right-click WMI Control (Local), and select Properties
- Select the Security tab
- Select Root and click the Security button,
- Click the Add… button
- Click the Object Types button and make sure Computers is selected
- Enter the name of the OVERLAPS server and click Check Names. The computer object of the server is now filled in automatically
- Click OK
- Click Advanced
- Select the OVERLAPS server in the list
- Click Edit
- In the Applies to list, select This namespace and subnamespaces
- Check the permissions boxes for: Execute Methods, Enable Account, Remote Enable and Read Security
- Click OK in each dialog until you have exited back to the main window.
User Rights Assignment (Group Policy)
Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment
The OVERLAPS server may require to be added to the following policies to grant it permission to remotely manage computers:
- Act as part of the operating system
- Impersonate a client after authentication
- Log on as batch job
- Log on as a service
DCOM Machine Access Restrictions and Machine Launch Restrictions (Group Policy)
Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options
- Double click the “DCOM: Machine Access Restrictions…” setting
- Check the “Define this policy setting” box
- Click “Edit Security”
- Click “Add”
- Click “Object Types”
- Check the “Computers” option
- Enter the name of the OVERLAPS server followed by “$” (e.g. “myserver$”)<,/li>
- Click OK
- With the server selected, check the Allow option for “Local Access” and “Remote Access”
- Repeat these steps for “DCOM: Machine Launch Restrictions…”, except checking Allow for all four options.
Firewall Setup (if using the Windows Firewall) (Group Policy)
Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Inbound Rules
- Right click on the right pane and select New Rule
- Select Predefined and Windows Management Instrumentation (WMI) in the list
- Click Next
- Tick all the Windows Management Instrumentation-rules in the list (usually 3 items)
- Click Next
- Select Allow the Connection
- Click Finish
Enable the Windows Management Instrumentation (WMI) and the Remote Procedure Call (RPC) Services (Group Policy)
Computer Configurations > Preferences > Control Panel Settings > Services
- Right click in the right pane, select New -> Service
- Change Startup to Automatic
- Click the “…” button next to “Service name”
- Scroll down to Windows Management Instrumentation (Winmgmt) and select it
- Change “Service action” to “Start service”
- Repeat this for the Remote Procedure Call (RPC) (RpcSs) service.
Access Denied
If you have done all of these steps but are still getting an “Access Denied” or “Privilege not held” error, refer to the Microsoft Support article below: