I work in an active directory environment with many servers. I have a user account that I would like to use to check the status of other servers, without giving this account full administrative access to these other servers. Specifically, I want to check the drive space on these servers, and I'd like to do it with Powershell.
I have executed Enable-PSRemoting on the target server, and I can successfully invoke Get-PSDrive on them remotely using administrator credentials. The results are returned almost immediately, and include information about the used / free space on all drives.
However, when I run the same command (Invoke-Command -computer remoteserver1 {Get-PSDrive -PSProvider FileSystem}
) as the non-administrative user, the results come back very slowly (takes about 30 seconds), and none of the drives have any information about their used / free space.
What I have done so far:
- I have added the non-administrative user account to the Remote Management Users group on the target server.
- Edited SDDL for scmanager (on the target server) to add the same DiscretionaryACL for Remote Management Users as Built-in Administrators have.
- Per this post, I have granted this user WMI permissions in wmimgmt.exe > WIM Control (Local) > (right click) > Properties > Security tab > Expand 'Root' > click on SECURITY node > click 'Security' button > added non-admin user with full access.
- Added user to the Distributed COM Users group on the target server.
Some also suggested trying Invoke-Command -computer remoteserver1 {Get-WmiObject -Class Win32_MappedLogicalDisk}
to troubleshoot, but it comes back 'Access is denied.' I believe if I could get Get-WmiObject
working successfully for this limited user, it would solve my issue.
What should I do to get this limited user account the access they need to check drive space on other servers? without giving the account admin rights, and preferably without having to map and unmap any drives?