{"id":344,"date":"2026-04-01T11:19:25","date_gmt":"2026-04-01T10:19:25","guid":{"rendered":"https:\/\/overlaps.co.uk\/docs\/?page_id=344"},"modified":"2026-04-01T11:27:18","modified_gmt":"2026-04-01T10:27:18","slug":"computer-management-tool-permissions","status":"publish","type":"page","link":"https:\/\/overlaps.co.uk\/docs\/overlaps-documentation\/installation-and-configuration\/active-directory\/computer-management-tool-permissions\/","title":{"rendered":"Computer Management Tool Permissions"},"content":{"rendered":"\n

Most of the Computer Management Tools (CMT) require the Windows Management Instrumentation (WMI) interface to be configured and enabled on your clients, and for the OVERLAPS server to have permission to access it.<\/p>\n\n\n\n

If you don\u2019t wish to use the tools which make use of WMI (everything except the Ping tool), then you can ignore this section.<\/p>\n\n\n\n

The easiest way to configure WMI is by adding the OVERLAPS server’s computer account to the Local Administrators group of the computers it needs to manage.<\/p>\n\n\n\n

Alternatively, to setup the precise permissions manually, follow the below guide. Most of these settings are configured in Group Policy except for the first, which must be done on each computer.<\/p>\n\n\n\n

WMI Namespace Permissions (locally on each computer)<\/h2>\n\n\n\n
    \n
  1. On the computer to be managed, run wmimgmt.msc in a command prompt<\/li>\n\n\n\n
  2. Right-click WMI Control (Local), and select Properties<\/li>\n\n\n\n
  3. Select the Security tab<\/li>\n\n\n\n
  4. Select Root and click the Security button,<\/li>\n\n\n\n
  5. Click the Add\u2026 button<\/li>\n\n\n\n
  6. Click the Object Types button and make sure Computers is selected<\/li>\n\n\n\n
  7. Enter the name of the OVERLAPS server and click Check Names. The computer object of the server is now filled in automatically<\/li>\n\n\n\n
  8. Click OK<\/li>\n\n\n\n
  9. Click Advanced<\/li>\n\n\n\n
  10. Select the OVERLAPS server in the list<\/li>\n\n\n\n
  11. Click Edit<\/li>\n\n\n\n
  12. In the Applies to list, select This namespace and subnamespaces<\/li>\n\n\n\n
  13. Check the permissions boxes for: Execute Methods, Enable Account, Remote Enable and Read Security<\/li>\n\n\n\n
  14. Click OK in each dialog until you have exited back to the main window.<\/li>\n<\/ol>\n\n\n\n

    User Rights Assignment (Group Policy)<\/h2>\n\n\n\n

    Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment<\/strong><\/p>\n\n\n\n

    The OVERLAPS server may require to be added to the following policies to grant it permission to remotely manage computers:<\/p>\n\n\n\n

      \n
    1. Act as part of the operating system<\/li>\n\n\n\n
    2. Impersonate a client after authentication<\/li>\n\n\n\n
    3. Log on as batch job<\/li>\n\n\n\n
    4. Log on as a service<\/li>\n<\/ol>\n\n\n\n

      DCOM Machine Access Restrictions and Machine Launch Restrictions (Group Policy)<\/h2>\n\n\n\n

      Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options<\/strong><\/p>\n\n\n\n

        \n
      1. Double click the \u201cDCOM: Machine Access Restrictions\u2026\u201d setting<\/li>\n\n\n\n
      2. Check the \u201cDefine this policy setting\u201d box<\/li>\n\n\n\n
      3. Click \u201cEdit Security\u201d<\/li>\n\n\n\n
      4. Click \u201cAdd\u201d<\/li>\n\n\n\n
      5. Click \u201cObject Types\u201d<\/li>\n\n\n\n
      6. Check the \u201cComputers\u201d option<\/li>\n\n\n\n
      7. Enter the name of the OVERLAPS server followed by \u201c$\u201d (e.g. \u201cmyserver$\u201d)<,\/li><\/li>\n\n\n\n
      8. Click OK<\/li>\n\n\n\n
      9. With the server selected, check the Allow option for \u201cLocal Access\u201d and \u201cRemote Access\u201d<\/li>\n\n\n\n
      10. Repeat these steps for \u201cDCOM: Machine Launch Restrictions\u2026\u201d, except checking Allow for all four options.<\/li>\n<\/ol>\n\n\n\n

        Firewall Setup (if using the Windows Firewall) (Group Policy)<\/h2>\n\n\n\n

        Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Inbound Rules<\/strong><\/p>\n\n\n\n

          \n
        1. Right click on the right pane and select New Rule<\/li>\n\n\n\n
        2. Select Predefined and Windows Management Instrumentation (WMI) in the list<\/li>\n\n\n\n
        3. Click Next<\/li>\n\n\n\n
        4. Tick all the Windows Management Instrumentation-rules in the list (usually 3 items)<\/li>\n\n\n\n
        5. Click Next<\/li>\n\n\n\n
        6. Select Allow the Connection<\/li>\n\n\n\n
        7. Click Finish<\/li>\n<\/ol>\n\n\n\n

          Enable the Windows Management Instrumentation (WMI) and the Remote Procedure Call (RPC) Services (Group Policy)<\/h2>\n\n\n\n

          Computer Configurations > Preferences > Control Panel Settings > Services<\/strong><\/p>\n\n\n\n

            \n
          1. Right click in the right pane, select New -> Service<\/li>\n\n\n\n
          2. Change Startup to Automatic<\/li>\n\n\n\n
          3. Click the \u201c\u2026\u201d button next to \u201cService name\u201d<\/li>\n\n\n\n
          4. Scroll down to Windows Management Instrumentation (Winmgmt) and select it<\/li>\n\n\n\n
          5. Change \u201cService action\u201d to \u201cStart service\u201d<\/li>\n\n\n\n
          6. Repeat this for the Remote Procedure Call (RPC) (RpcSs) service.<\/li>\n<\/ol>\n\n\n\n

            Access Denied<\/h2>\n\n\n\n

            If you have done all of these steps but are still getting an \u201cAccess Denied\u201d or \u201cPrivilege not held\u201d error, refer to the Microsoft Support article below:<\/p>\n\n\n\n

            https:\/\/support.microsoft.com\/en-au\/help\/4020459\/privilege-not-held-error-with-powershell-stop-computer-command-and-pow<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

            Most of the Computer Management Tools (CMT) require the Windows Management Instrumentation (WMI) interface to be configured and enabled on your clients, and for the OVERLAPS server to have permission to access it. If you don\u2019t wish to use the tools which make use of WMI (everything except the Ping tool), then you can ignore […]<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":30,"menu_order":300,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"class_list":["post-344","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/overlaps.co.uk\/docs\/wp-json\/wp\/v2\/pages\/344","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/overlaps.co.uk\/docs\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/overlaps.co.uk\/docs\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/overlaps.co.uk\/docs\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/overlaps.co.uk\/docs\/wp-json\/wp\/v2\/comments?post=344"}],"version-history":[{"count":2,"href":"https:\/\/overlaps.co.uk\/docs\/wp-json\/wp\/v2\/pages\/344\/revisions"}],"predecessor-version":[{"id":354,"href":"https:\/\/overlaps.co.uk\/docs\/wp-json\/wp\/v2\/pages\/344\/revisions\/354"}],"up":[{"embeddable":true,"href":"https:\/\/overlaps.co.uk\/docs\/wp-json\/wp\/v2\/pages\/30"}],"wp:attachment":[{"href":"https:\/\/overlaps.co.uk\/docs\/wp-json\/wp\/v2\/media?parent=344"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}