Platform
Solution
Industry
Role
There is no result.
PROCUCT DOCUMENTATION
SUBSCRIBE

Credentials for Accessing Remote Windows Computers

In this article

No further credential modification is needed, if the Collector is running as an account with the right to connect to the remote computers.

If you are only monitoring a machine where the Collector is installed, Local System can be used; we recommend using a user with only the least privilege permissions by following the instructions in Migrating Windows Collector from Admin to Non-admin User.

If the account credentials for the Collector service do not have access rights to the remote computers you want to monitor. In that case, you can explicitly provide the credentials belonging to a user with the least privilege permissions on the computers to be queried. To do this using WMI, specify the following properties at the appropriate level (i.e., global, group, or resource level):

  • wmi.user—Assign the username of an account with the least privilege permissions on the computers to be queried to this property.
  • wmi.pass—Assign the password of an account with the least privilege permissions on the computers to be queried to this property.
  • wmi.authType—Specifies the protocol to authenticate remote WMI hosts. The supported protocols are NTLMv1, NTLMv2, and Kerberos. Starting with EA Collector 37.300, the default authentication protocol is NTLMv2 (replacing the previous default protocol, NTLMv1). When using the Kerberos protocol, you must use the ServerName or FQDN to add a device and start your Collector services using AD account credentials instead of the Local System.

To configure the least privilege permissions for WMI, see Windows Server Monitoring and Principle of Least Privilege.

To configure WinRM monitoring instead of WMI, see Configuring WinRM for Windows Collector. 

For more information on assigning properties, see Resource and Instance Properties.

A local non-domain account on a remote computer that is a domain member is possible. This is not recommended, even if the account is in the Administrators group. Doing so will subject the WMI access to UAC filtering in Vista and later OSs, limiting the data that can be collected. You may also trigger account lockout alerts.

Please note that the remote perfmon collection is not supported when using SYSTEM accounts, regardless of pdh.user/pdh.pass property usage.