Thursday, April 14, 2005

Querying the MicrosoftExchangeV2 namespace remotely in WMI without admin rights

A few people asked about this today so I thought I'd share this with everyone

Be default the Exchange WMI namespace root/MicrosoftExchangeV2 is only query-able remotely by Administrators because of the default security that is applied to it. If you need to query this namespace and any of the classes within it remotely using a user other then a administrator what you need to do is change the permissions on the root/MicrosoftExchangeV2 object so that this particular user has the Remote enable right.This is a per server thing so needs to be done on every server that you want these users to have this access. Giving a user Remote enable right gives them the right to connect to the namespace and issue a query but to actually return data from any of the class's like Exchange_Mailbox the user will still require View only Exchange Admin rights.

Before you make any changes you should consider the security implications around doing this (eg your server is now less secure then it was before because you've given rights to a user to do something that couldn't be done previous although you have gained some functionality out of doing so).

Some Doco on modifying WMI namespace security can be found here and here

4 comments:

The Creels said...

Could you give me an example of using alternate credentials on the WMI call? I'm thinking

Set objSWbemLocator = CreateObject("WbemScripting.SWbemLocator")
Set objWMIExchange = objSWbemLocator.ConnectServer _
(cComputerName, cWMINameSpace, "dom\user", "pwd")
objWMIExchange.Security_.ImpersonationLevel = 3

but I'm struggling a bit... Are there other issues I should be thinking of?

Glen said...

The scripting guys did a real good article on this with lot of samples have a look at http://www.microsoft.com/technet/scriptcenter/resources/qanda/dec04/hey1213.mspx

The Creels said...

Thanks, Glen -- I'm good now... Looks like I had it right, but the account I'm using wasn't an admin on 1 of our boxes... Thanks again!

pike said...

Just so you know, the link, in your comment, in your post: "C# WMI Exchange samples" doesn't work.

Thanks for the great exchange info, keep it up.