Performance Analysis Security Requirements

Performance Analysis collects various performance and configuration data directly from Windows, and then requires a higher level of access to the operating system than the Event Calendar. The easiest approach is to either make the SentryOne monitoring service account a domain administrator level account or a member of the local administrators group on any watched targets.

In some scenarios it may be possible to use a non-administrator service account, although this isn't an officially supported approach. Complete the following steps to use a non-administrator service account: 

  1. Enable DCOM on the SentryOne Server machine, SentryOne Client machine, and the server to be watched. For more information, see the Securing a Remote WMI Connection article.
  2. Give the SentryOne monitoring service account proper permissions to the required WMI namespaces by going to the properties for WMI Control under Services and Applications in the Computer Management client. On the Security tab, ensure that the SentryOne monitoring service account has at least Enable Account and Remote Enable checked for the CIMV2 and WMI nodes.

Note:  WMI providers and versions vary from server to server, and whether non-administrative access functions properly for a particular WMI provider is directly dependent on whether the provider was designed to support this. Many providers can't support this, including many designed by Microsoft®.

For more information about SentryOne requirements, see the How to check SentryOne requirements article from Sabin.io.  

Example

SERVER-A is the exact same make and model as SERVER-B, and both servers are on the same domain. The SentryOne monitoring service user account is a domain user, but doesn't have administrator privileges on either server. Performance Analysis can successfully watch SERVER-A, but is unable to watch SERVER-B. The two servers are configured identically, with one exception; an additional network adapter from Acme Networking was installed in SERVER-B.  

Acme Networking didn't design the associated WMI provider to support non-administrative access; therefore, Performance Analysis isn't able to successfully watch SERVER-B as a non-administrator. The only options are to either replace the network adapter with one that's known to support non-administrative access, or to contact Acme Networking to see if they have an updated version of the provider that supports non-administrative access.