When you run a script on Computer A that obtains data from Computer B, WMI is supplying your credentials to the
provider of the data on Computer B. This requires only an impersonation level of
Impersonate because only one network hop is required. However, if the script connects to
WMI on Computer B and attempts to open a log file on Computer C, then the script fails unless the impersonation
level is Delegate. Delegate impersonation level is required by
any operation that involves more than one network hop. For more information about DCOM security in WMI, see
Setting Client Application Process Security.
For more information about a one-network hop connection between two computers, see
Connecting to WMI on a Remote Computer.
.png)
The following procedure describes how to connect a computer to other computers.
.gif)
To connect a computer to other computers
- Enable delegation in Active Directory (Active Directory Users and Computers in
Control Panel Administrative Tasks) on the domain controller. The account on Computer B must be
marked as Trusted for delegation and the account on Computer A must not be marked as
Account is sensitive and cannot be delegated. Computer A, Computer B, and the domain
controller must be members of the same domain or in trusted domains.
Note Using delegation is a security risk because it gives processes outside of your direct control the ability
to use your credentials.
- Set the impersonation level parameter to RPC_C_IMP_LEVEL_DELEGATE in the call to
CoInitializeSecurity or
CoSetProxyBlanket in C++. For more information about
when to make these calls, see
Initializing COM for a WMI Application.
In scripting, set the impersonationLevel parameter to
Delegate in the call to
SWbemLocator.ConnectServer or
Delegatein the
moniker string. You can also set the
impersonation in a SWbemSecurityobject.
- To pass the client identity to remote COM servers in C++, set cloaking in the call to
CoSetProxyBlanket. For more information, see
Cloaking.
The following code example shows a moniker string that sets the impersonation to
Delegate. Be aware that the authority must be set to Kerberos.
set objWMIServices = Getobject("winmgmts: _
{impersonationLevel=Delegate, _
authority=kerberos:MyDomain\Computer_B}!\\ComputerB\root\cimv2")
The following code example shows how to set impersonation to
Delegate (a value of 4) using
SWbemLocator.ConnectServer.
Set objLocator = CreateObject("WbemScripting.SWbemLocator")
Set objWMIService = objLocator.ConnectServer(Computer_B, _
"root\cimv2", AdminAccount, MyPassword, _
"kerberos:Domain\Computer_B")
objWMIService.Security_.ImpersonationLevel = 4
See Also
- Connecting Between Different Operating
Systems
- Securing a Remote WMI Connection
- Connecting Through Windows Firewall
- Creating Processes Remotely
Send comments about this topic to Microsoft
Build date: 11/3/2009