Edit

Delegating with WMI

  • Article

When you run a script on a local system that obtains data from a remote system, WMI supplies your credentials to the provider of the data on the remote system. This requires only an impersonation level of Impersonate, because only one network hop is required. However, if the script connects to WMI on the remote system and attempts to open a log file on an additional remote system, then the script fails unless the impersonation level is Delegate. Delegate impersonation level is required by any operation that involves more than one network hop. For more information about DCOM security in WMI, see Setting Client Application Process Security. For more information about a one-network hop connection between two computers, see Connecting to WMI on a Remote Computer.

To use delegation to connect to a computer through another computer

  1. Enable delegation in Active Directory (Active Directory Users and Computers in Control Panel Administrative Tasks) on the domain controller. The account on the remote system must be marked as Trusted for delegation and the account on the local system must not be marked as Account is sensitive and cannot be delegated. the local system, the remote system, and the domain controller must be members of the same domain or in trusted domains.

    Note  Using delegation is a security risk because it gives processes outside of your direct control the ability to use your credentials.

  2. Modify your code in the following manner to indicate that you want to use delegation.

    PowerShell

    Set the -Impersonation parameter on the WMI cmdlet to Delegate.

    VBScript

    Set the impersonationLevel parameter to Delegate in the call to SWbemLocator.ConnectServer or Delegatein the moniker string. You can also set the impersonation in a SWbemSecurityobject.

    C++

    Set the impersonation level parameter to RPC_C_IMP_LEVEL_DELEGATE in the call to CoInitializeSecurity or CoSetProxyBlanket. For more information about when to make these calls, see Initializing COM for a WMI Application.

    To pass the client identity to remote COM servers in C++, set cloaking in the call to CoSetProxyBlanket. For more information, see Cloaking.

Examples

The following code example shows a moniker string that sets the impersonation to Delegate. Be aware that the authority must be set to Kerberos.

set objWMIServices = Getobject("winmgmts:{impersonationLevel=Delegate,authority=kerberos:MyDomain\Computer_B}!\\ComputerB\Root\CIMv2")

The following code example shows how to set impersonation to Delegate (a value of 4) using SWbemLocator.ConnectServer.

Set objLocator = CreateObject("WbemScripting.SWbemLocator")
Set objWMIService = objLocator.ConnectServer(Computer_B, _
                                             "Root\CIMv2", _
                                             AdminAccount, _
                                             MyPassword, _
                                             "kerberos:Domain\Computer_B")
objWMIService.Security_.ImpersonationLevel = 4

Securing a Remote WMI Connection

Creating Processes Remotely with WMI