Winscripter
  WSH
  Forums
  Downloads
  Books
  Links
  Amazon




Login
Register

© winscripter.com
1998-2004







Howto: WMI Impersonation Levels

Posted by on Monday, January 19, 2004 (PST)

Howto: Covers the Impersonation Levels used by WMI.

Description

It is sometimes necessary to set the impersonation level that WMI will use. Without the necessary impersonation level, WMI may refuse a request or provide incomplete information.

WMI defaults to wbemImpersonateLevelImpersonate under the current WMI release (May 2001) if you do not set the impersonation level in your code and have not modified the registry.

In short, the setting the impersonation level of WMI tells the system whos credentials to use when making the call. This allows the administrator to restrict who can make certain changes to the system.

WMI integrates with NT security and permissions can be set to nodes. Currently, WMI only supports setting root or near root level node permissions.

 

 
Name Value Description
wbemImpersonationLevelAnonymous 1 Hides the credentials of the caller. Calls to WMI may fail with this impersonation level.
wbemImpersonationLevelIdentify 2 Allows objects to query the credentials of the caller. Calls to WMI may fail with this impersonation level.
wbemImpersonationLevelImpersonate 3 Allows objects to use the credentials of the caller. This is the recommended impersonation level for WMI Scripting API calls.
wbemImpersonationLevelDelegate 4 Allows objects to permit other objects to use the credentials of the caller. This impersonation, which will work with WMI Scripting API calls but may constitute an unnecessary security risk, is supported only under Windows 2000.

 

var Service = GetObject("winmgmts:{impersonationLevel=impersonate}!\\\\.\\root\\cimv2");

or

var Service = GetObject("winmgmts:\\\\.\\root\\cimv2");
Service.Security_.ImpersonationLevel = 3;

Comments:

WMI Impersonation Levels
By mukund on Thursday, May 17, 2007 (PST)

Hello,

 

Can you please suggest how to set “impersonation level” in WMI CIMStuido, I am using windows 2003 server OS.
 
1) wbemImpersonationLevelAnonymous:  Hides the credentials of the   caller. Calls to WMI may fail with this impersonation level. 

Query: How to validated expected conditions

Answer:

 

2) wbemImpersonationLevelIdentify:  Allows objects to query the credentials of the caller. Calls to WMI may fail with this impersonation level. 

Query: How to validated expected conditions

Answer:

 

3) wbemImpersonationLevelImpersonate:  Allows objects to use the credentials of the caller. This is the recommended impersonation level for WMI Scripting API calls.

Query: How to validated expected conditions

Answer:

 

4) wbemImpersonationLevelDelegate: Allows objects to permit other objects to use the credentials of the caller. This impersonation, which will work with WMI Scripting API calls but may constitute an unnecessary security risk, is supported only under Windows 2000. 

Query: How to validated expected conditions

Answer:


 


 

Reply to this Comment

Add Your Comment



WSH and ADSI Administrative Scripting

New Articles
  • List installed COM objects and associated ProgIDs
    Script: Lists all COM Objects and their associated ProgIDs (If available). Win32_ClassicCOMClassSetting

  • Script: File Rotator
    Script: Rotate files where the most current file has the lowest number in the archive. When files exceed the retention period, they are deleted. Typically used for log files, backups, etc..

  • Script: Create IIS Website and DNS record
    Script: Dan Casier sent me this script that will create a website and appropriate DNS record. The script is intended for Windows 2000 Server with local DNS and necessary DNS mof installed.


  • Winscripter   |  WSH   |  Forums   |  Downloads   |  Books   |  Links   |  Amazon