4

With Windows Server 2012 R2 I can use the group WinRMRemoteWMIUsers__ to enable remote PowerShell execution via -CimSession for non-admin users. However, the group is missing on my Windows Server 2016 machines and I do not see any replacement for it except the Remote Management Users group. However it seems to me that it grants wider permissions than WinRMRemoteWMIUsers__.

Where is the WinRMRemoteWMIUsers__ group in Windows Server 2016?

bahrep
  • 664
  • 1
  • 9
  • 27
  • `Get-LocalGroup` or `Get-ADGroup` should show it although according to the [Active Directory default security groups by operating system version](https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-security-groups#bkmk-groupstable) table, `WinRMRemoteWMIUsers_` group does not seem to be present in _Windows Server 2016_ – JosefZ Apr 06 '18 at 13:16
  • @JosefZ no, `Get-LocalGroup` does not show *WinRMRemoteWMIUsers_*. – bahrep Apr 06 '18 at 13:18
  • https://msdn.microsoft.com/en-us/library/aa384295(v=vs.85).aspx suggests the group is created during WinRM configuration. Can you try `winrm quickconfig` to see if it recreates what you need? If it does, I'll write up a more comprehensive answer. – Matthew Wetmore Apr 11 '18 at 03:55

1 Answers1

3

KB3118385 seems to suggest that you can manually create it. Have you tried doing that?

EDIT: As Matthew stated below, here are the commands. Thanks Matthew!

net localgroup WinRMRemoteWMIUsers__

And if that fails:

net localgroup /add WinRMRemoteWMIUsers__
Mike M
  • 1,132
  • 4
  • 11
  • It does not seem to be the same problem as KB3118385 because the computer is not a domain controller and the group has to be local, that's not a domain group. – bahrep Apr 10 '18 at 13:57
  • I understand. I was only suggesting that since KB3118385 implies that it can be manually created, that maybe it can be manually created on Server 2016 as well. – Mike M Apr 10 '18 at 14:10
  • 1
    This appears correct based on Windows test collateral. While I've worked near this team, this is not an "official" statement of support by the owners. Try `net localgroup WinRMRemoteWMIUsers__` or if that fails, `net localgroup /add WinRMRemoteWMIUsers__` If this works, Mike can add these steps to his answer and claim the bounty. He needs/deserves the bounty more than I do. :) (Welcome to Server Fault, Mike!) – Matthew Wetmore Apr 11 '18 at 04:12
  • Thank you! Creating the group manually works. I don't understand why the group is missing in Windows Server 2016. – bahrep Apr 11 '18 at 13:19