How I set up target computers (desktops, laptops and servers) to be discovered by SpiceWorks using WMI. This SBS covers Windows XP SP2 or higher, Windows Vista, Windows 7, Server 2003 and Server 2008. I will modify later if I find I am missing something. This is a Step-By-Step document created by Paul Luciano, MCSE.
** NOTE **
In sections 2 and 3, I have broken the steps down for different operating systems. Please pay attention so you use the correct steps corresponding to the operating system you are using.
1.
Admin ID
TARGET: All Operating Systems
1. Set up an administrator ID that will be used on all computers in the network. This will have local (or domain) administrator and WMI rights.
2. Ensure that the ID and PW are entered into SpiceWorks
2.
Allow Ping
TARGET: XP, Vista, 7 and Server 2008
Ping the target computer from a remote PC. If the ping fails (ERROR: Request timed out), follow these steps.
Windows XP
1. Click Start
2. Click Control Panel
3. Double-click Windows Firewall
4. Click the Advanced tab
5. Click the Settings… button under ICMP
6. Check the Allow incoming echo request checkbox
7. Click OK three times
Windows 7
1. From the Start menu, search for Windows Firewall with Advanced Security.
2. Click it to bring up the application.
3. From the left pane, click Inbound Rules.
4. In the right pane, find the rules titled File and Printer Sharing (Echo Request - ICMPv4-In).
5. Right-click each rule and choose Enable Rule.
Windows Server 2008
1. Click Start
2. Click Control Panel
3. Double-click Administrative Tools
4. Double-click Windows Firewall with Advanced Security
5. From the left pane, click Inbound Rules.
6. Find the rule File and Printer Sharing (Echo Request – ICMPv4-In)
7. Right-click the rule and choose Enable Rule.
8. Close the window
3.
Enable Group Policy
TARGET: All Operating Systems
You need to set a policy on the computer to allow access
Windows XP, Server 2003, Vista, 7
1. Click start
2. Click run
3. Type mmc
4. I clicked on "File" then "Add/Remove Snap-in".
5. I clicked on the "Add" button.
6. I selected "Group Policy Editor" and clicked on "Add".
7. Click Finish
8. Click Close
9. Click Close
10. Navigate to here:
Console Root
|- Local Computer Policy
|- |- Computer Configuration
|- |- |- Administrative Templates
|- |- |- |- Network
|- |- |- |- |- Network Connections
|- |- |- |- |- |- Windows Firewall
|- |- |- |- |- |- |- Standard Profile *
11. Double click on "Windows Firewall: Allow remote administration exception"
12. Set the configuration to "Enabled"
13. Type localsubnet in the "Allow unsolicited incoming messages from" field
14. Click OK
15. Click Start
16. Click Run
17. Type cmd and press Enter
18. Type gpupdate and press enter
19. You should see the following:
C:\Documents and Settings\Administrator>gpupdate
Refreshing Policy...
User Policy Refresh has completed.
Computer Policy Refresh has completed.
* Under Windows Firewall there is also Domain Profile. It is possible you can use either or both. I used Standard Profile and it worked.
Windows Server 2008
1. Follow steps 1 through 10
2. Step 11, double-click on Windows Firewall: Allow inbound remote administration exception
3. All steps after are the same
4.
Link Admin ID to WMI Control
TARGET: All Operating Systems
1. Click Start
2. Enter compmgmt.msc in the search field
3. The Computer Management screen appears
4. Expand Services & Applications
5. Click on WMI Control
6. Right-click and choose Properties
7. Select the Security tab
8. Highlight Root
9. Click the Security button
10. Add the ID mentioned in PART ONE
11. Grant the ID Allow permissions for EM, FW, PW, PrW, EA, RE, RS and ES
12. Click the OK button
13. Click the OK button
NOTE: I have been liberal with granting permissions to a local admin ID. You should modify the settings to suit your own network security needs.
5.
Link Admin ID to DCOM
TARGET: All Operating Systems
1. Click Start
2. Enter dcomcnfg.exe in the search field
3. Expand Component Services
4. Expand Computers
5. Right-click on My Computer
6. Choose Properties
7. Click on the Default Properties tab
8. Check the Enable Distributed…computer checkbox
9. Check the Enable COM…computer checkbox
10. Verify the Default Authentication Level: is set to Connect
11. Verify the Default Impersonation Level: is set to Identify
12. Click the Apply button
13. Click on COM Security tab
14. Click the Edit Limits… button under Launch and Activation Permissions
15. Add the ID mentioned in PART ONE
14. Grant the ID Allow permissions for LL, RL, LA and RA
15. Click the OK button
16. Click the OK button
NOTE: I have been liberal with granting permissions to a local admin ID. You should modify the settings to suit your own network security needs.
NOTE: I have received this popup: Windows Security Alert – Do you want to keep blocking this program? Microsoft Management Console. I click the Unblock button.
NOTE: For Windows 7 and Server 2008, I received this message after step 12. Click Yes.
You are about to modify machine wide DCOM settings, this will effect all the applications on the machine, some applications may not work correctly as a result. Update DCOM settings?
6.
Local Security Policy
TARGET: XP only
1. Click Start
2. Enter secpol.msc in the search field
3. This will open up the Local Security Policy window.
4. Click Local Policies
5. Click Security Options
6. Scroll down to Network Access
7. Choose “Sharing and security model for local accounts"
8. This should be set to "Classic-local users authenticate as themselves"
9. Click OK
10. Exit Local Policy
7.
Disable UAC
TARGET: Vista and 7 only
1. Click Start
2. Type UAC in the Search programs and files field
3. Click on the "Change User Account Control Settings" link
4. Move the slider to the Never notify position
5. Click OK
6. If prompted to restart, do not, we will restart later
8.
Restart the Computer
TARGET: All operating systems
Restart the computer for all changes to take effect
9.
Test the Connection
NOTE: Use this code until you are shown a serial number (or the word None)
1. Click Start
2. Enter cmd in the search field
3. Enter the following at the c:\> prompt
wmic /user:[username] /password:[password] /node:[IP address or hostname] systemenclosure get serialnumber
[username] is the admin ID we set on each computer
[password] is the admin ID password we set on each computer
[IP address or hostname] is the FQDN or the IP address of the target computer
e.g. wmic /user:administrator /password:secretpassword /node:192.168.2.100 systemenclosure get serialnumber
4. Press the Enter button
Result should be:
SerialNumber
None (or the actual computer serial number – like Dell service tag)
10.
Network Scan in Spiceworks
1. Log into Spicworks
2. Click the Settings hyperlink
3. Click the Network Scan hyperlink
4. Enter the scan range in the Scan Entries section if you have not done already.
5. Add the Windows account mentioned in Step 1 if you have not done already.
6. Click the Start Network Scan hyperlink
7. The computer should be discovered properly by SpiceWorks