Enable WINRM with AD (Active Directory) GPO (Group Policy)

Purpose

This kb article, explains how to configure WinRM to unlock Domotz os monitoring feature on all your windows endpoints from the AD: in a few words, how to launch the enable_winrm_os_monitoring.ps1 script on all your windows endpoint using an Immediate Task.

Instructions

Prerequisites:

• Ensure you have an AD Global group available (e.g. “Remote_WMI_Access”) and an AD user member of that group. Both created for this specific purpose.
  
  If you are not sure on how to create the group, please see here: https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-firewall/create-a-group-account-in-active-directory

• Download this script:
  https://github.com/domotz/support_scripts/raw/main/os_monitoring/enable_winrm_os_monitoring.zip

Unzip it in a share the target computers can access, in our example we copied the script in the AD domain NETLOGON share (\domotzlab.com\Netlogon)

1. Copy the script in a share the target computers can access, in our example we copied the script in the AD domain NETLOGON share (\\domotzlab.com\Netlogon)
2. Open the Group Policy Management console (gpmc.msc)
3. expand “Forest: <YOURDOMAIN>” (tree item)
4. expand “Domains” (tree item)
5. expand “<YOURDOMAIN> ” (tree item)
6. select “Group Policy Objects” (tree item)
7. right click on “Group Policy Objects” (tree item) and select “New” (menu item)
8. Type a name for your GPO, in this example we use ‘DomotzGroupPermissions’
9. click on “OK”
10. select “DomotzGroupPermissions “
11. right click on “DomotzGroupPermissions “
12. click on “Edit” (menu item)
    
    
13. Expand “Preferences” (tree item)
14. Expand “Control Panel Settings” (tree item)
15. Select “Scheduled Tasks” (tree item)
16. right click on “Scheduled Tasks” and select ‘New’
17. click on “Immediate Task (At least Windows 7)” (menu item)
    
    
18. Type a name for your immediate task
19. click on “Change User or Group…” and select the ‘SYSTEM’ account
20. check “Run whether user is logged on or not (radio button)”
21. check “Run with highest privileges (check box)”
    
    
22. click on “Actions (tab item)”
23. click on “New…”
24. Verify that ‘Start a Program’ is selected in the drop-down menu.
25. click on “Program/script: ” and add the following
    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
26. click on “Add arguments(optional)” and add the following:
    
    -noprofile -executionpolicy bypass -f <YOUR_SHARE_PATH>\enable_winrm_os_monitoring.ps1 -Username <DOMAIN\USER> -GroupName <DOMAIN\GROUP> -LogFilePath c:\Windows\temp
    
    1. Note that <DOMAIN\USER> must exist and be a member of <DOMAIN\GROUP>
    2. Example:
       
       -noprofile -executionpolicy bypass -f \\domotzlab.com\NETLOGON\enable_winrm_os_monitoring.ps1 -Username DOMOTZLAB\DomotzAgent -GroupName DOMOTZLAB\DomotzWinRM -LogFilePath c:\Windows\temp

Please note that the domain name should be used in the old format when specifying username and Groupname.

For example:

-Username DOMOTZLAB\DomotzAgent -GroupName DOMOTZLAB\DomotzWinRM

and not

-Username domotzlab.com\DomotzAgent -GroupName domotzlab.com\DomotzWinRM

1. click on “OK” on the action
   
   
2. click on “OK” on the task
   
   
3. Close the GPO editor
4. Link the newly created GPO to the OU containing the computers you want to grant access to the user you selected in #25, the permissions are actually granted to the group, that’s why the user must be a member. You can rant permissions to different users just by adding them to the group.

Note that the GPO will create a scheduled task on the target computers. The Scheduled Task will run just once and then get deleted. You’ll find the log in c:\windows\temp\<COMPUTERNAME>-enable_winrm_os_monitoring-<TIMESTAMP>.log