Enable WINRM with AD (Active Directory) GPO (Group Policy)

2 min


This kb article, explains how to configure WinRM to unlock Domotz os monitoring feature on all your windows endpoints from the AD: in a few words, how to launch the enable_winrm_os_monitoring.ps1 script on all your windows endpoint using an Immediate Task.



Unzip it in a share the target computers can access, in our example we copied the script in the AD domain NETLOGON share (\domotzlab.com\Netlogon)

  1. Copy the script in a share the target computers can access, in our example we copied the script in the AD domain NETLOGON share (\\domotzlab.com\Netlogon)
  2. Open the Group Policy Management console (gpmc.msc)
  3. expand “Forest: <YOURDOMAIN>” (tree item)
  4. expand “Domains” (tree item)
  5. expand “<YOURDOMAIN> ” (tree item)
  6. select “Group Policy Objects” (tree item)
  7. right click on “Group Policy Objects” (tree item) and select “New” (menu item)
  8. Type a name for your GPO, in this example we use ‘DomotzGroupPermissions’
  9. click on “OK”
  10. select “DomotzGroupPermissions “
  11. right click on “DomotzGroupPermissions “
  12. click on “Edit” (menu item)

  13. Expand “Preferences” (tree item)
  14. Expand “Control Panel Settings” (tree item)
  15. Select “Scheduled Tasks” (tree item)
  16. right click on “Scheduled Tasks” and select ‘New’
  17. click on “Immediate Task (At least Windows 7)” (menu item)

  18. Type a name for your immediate task
  19. click on “Change User or Group…” and select the ‘SYSTEM’ account
  20. check “Run whether user is logged on or not (radio button)”
  21. check “Run with highest privileges (check box)”

  22. click on “Actions (tab item)”
  23. click on “New…”
  24. Verify that ‘Start a Program’ is selected in the drop-down menu.
  25. click on “Program/script: ” and add the following
  26. click on “Add arguments(optional)” and add the following:

    -noprofile -executionpolicy bypass -f <YOUR_SHARE_PATH>\enable_winrm_os_monitoring.ps1 -Username <DOMAIN\USER> -GroupName <DOMAIN\GROUP> -LogFilePath c:\Windows\temp
    1. Note that <DOMAIN\USER> must exist and be a member of <DOMAIN\GROUP>
    2. Example:

      -noprofile -executionpolicy bypass -f \\domotzlab.com\NETLOGON\enable_winrm_os_monitoring.ps1 -Username DOMOTZLAB\DomotzAgent -GroupName DOMOTZLAB\DomotzWinRM -LogFilePath c:\Windows\temp

Please note that the domain name should be used in the old format when specifying username and Groupname.

For example:

-Username DOMOTZLAB\DomotzAgent -GroupName DOMOTZLAB\DomotzWinRM

and not

-Username domotzlab.com\DomotzAgent -GroupName domotzlab.com\DomotzWinRM

  1. click on “OK” on the action

  2. click on “OK” on the task

  3. Close the GPO editor
  4. Link the newly created GPO to the OU containing the computers you want to grant access to the user you selected in #25, the permissions are actually granted to the group, that’s why the user must be a member. You can rant permissions to different users just by adding them to the group.

Note that the GPO will create a scheduled task on the target computers. The Scheduled Task will run just once and then get deleted. You’ll find the log in c:\windows\temp\<COMPUTERNAME>-enable_winrm_os_monitoring-<TIMESTAMP>.log

Share via Social Networks

You might also like…

Read more top posts in this category

Want more tips on Network Monitoring?

Ready to get started with Domotz?

  • Powerful
  • Automated
  • Simple
  • Affordable
Start Your Free Trial Contact Sales