Thursday, April 14, 2005

Querying the MicrosoftExchangeV2 namespace remotely in WMI without admin rights

A few people asked about this today so I thought I'd share this with everyone

Be default the Exchange WMI namespace root/MicrosoftExchangeV2 is only query-able remotely by Administrators because of the default security that is applied to it. If you need to query this namespace and any of the classes within it remotely using a user other then a administrator what you need to do is change the permissions on the root/MicrosoftExchangeV2 object so that this particular user has the Remote enable right.This is a per server thing so needs to be done on every server that you want these users to have this access. Giving a user Remote enable right gives them the right to connect to the namespace and issue a query but to actually return data from any of the class's like Exchange_Mailbox the user will still require View only Exchange Admin rights.

Before you make any changes you should consider the security implications around doing this (eg your server is now less secure then it was before because you've given rights to a user to do something that couldn't be done previous although you have gained some functionality out of doing so).

Some Doco on modifying WMI namespace security can be found here and here