Enable WINRM with AD (Active Directory) GPO (Group Policy)

Purpose

This kb article, explains how to configure WinRM to unlock Domotz os monitoring feature on all your windows endpoints from the AD: in a few words, how to launch the enable_winrm_os_monitoring.ps1 script on all your windows endpoint using an Immediate Task.

Instructions

Download this script:
https://github.com/domotz/support_scripts/raw/main/os_monitoring/enable_winrm_os_monitoring.zip

Unzip it in a share the target computers can access, in our example we copied the script in the AD domain NETLOGON share (\domotzlab.com\Netlogon)

  1. Copy the script in a share the target computers can access, in our example we copied the script in the AD domain NETLOGON share (\\domotzlab.com\Netlogon)
  2. Open the Group Policy Management console (gpmc.msc)
  3. expand “Forest: <YOURDOMAIN>” (tree item)
  4. expand “Domains” (tree item)
  5. expand “<YOURDOMAIN> ” (tree item)
  6. select “Group Policy Objects” (tree item)
  7. right click on “Group Policy Objects” (tree item) and select “New” (menu item)
  8. Type a name for your GPO, in this example we use ‘DomotzGroupPermissions’
  9. click on “OK”
  10. select “DomotzGroupPermissions “
  11. right click on “DomotzGroupPermissions “
  12. click on “Edit” (menu item)

  13. Expand “Preferences” (tree item)
  14. Expand “Control Panel Settings” (tree item)
  15. Select “Scheduled Tasks” (tree item)
  16. right click on “Scheduled Tasks” and select ‘New’
  17. click on “Immediate Task (At least Windows 7)” (menu item)

  18. Type a name for your immediate task
  19. click on “Change User or Group…” and select the ‘SYSTEM’ account
  20. check “Run whether user is logged on or not (radio button)”
  21. check “Run with highest privileges (check box)”

  22. click on “Actions (tab item)”
  23. click on “New…”
  24. Verify that ‘Start a Program’ is selected in the drop-down menu.
  25. click on “Program/script: ” and add the following
    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  26. click on “Add arguments(optional)” and add the following:

    -noprofile -executionpolicy bypass -f <YOUR_SHARE_PATH>\enable_winrm_os_monitoring.ps1 -Username <DOMAIN\USER> -GroupName <DOMAIN\GROUP> -LogFilePath c:\Windows\temp
    1. Note that <DOMAIN\USER> must exist and be a member of <DOMAIN\GROUP>
    2. Example:

      1-noprofile -executionpolicy bypass -f \\domotzlab.com\NETLOGON\enable_winrm_os_monitoring.ps1 -Username DOMOTZLAB\DomotzAgent -GroupName DOMOTZLAB\DomotzWinRM -LogFilePath c:\Windows\temp
  27. click on “OK” on the action

  28. click on “OK” on the task

  29. Close the GPO editor
  30. Link the newly created GPO to the OU containing the computers you want to grant access to the user you selected in #25, the permissions are actually granted to the group, that’s why the user must be a member. You can rant permissions to different users just by adding them to the group.

Note that the GPO will create a scheduled task on the target computers. The Scheduled Task will run just once and then get deleted. You’ll find the log in c:\windows\temp\<COMPUTERNAME>-enable_winrm_os_monitoring-<TIMESTAMP>.log

Updated on November 16, 2022

Was this article helpful?