The following steps will need to be followed for every Windows Server or Windows Client (SecOps) if the TotalView Service Account does not have Local Administrator permissions.
Note:
Limitations of Running TotalView without Full Local Admin Rights:
- No ability to display Logged in users
- No ability to control services
- No ability to kill processes
Must be Running TotalView 12.1 Build R12174 or Later for Proper Functioning
Local User Group Membership
Add the TotalView Service Account user to following Local Security Group
Performance Log Users
Performance Monitor Users
Remote Management Users
Distributed COM Users
WMI user access permissions
- Using an administrator account, logon the computer you want to monitor.
- Go to Start > Control Panel > System and Security > Administrative Tools > Computer Management > Services and Applications.
- Click WMI control, right-click, and then select Properties.
- Select the Security tab, expand Root, and then click CIMV2.
- Click Security and then add the TotalView Service Account used to access this
computer. Ensure you grant the following permissions: Enable Account and Remote Enable. - Click Advanced, and then select the user account used to access this computer.
- Click Edit, select this namespace and sub namespaces in the Apply to
field, and then click OK. - Click OK to close the Advanced Security Settings for CIMV2 window.
- Click OK to close the Security for Root\CIMV2 window.
- In the left navigation pane of Computer Management, click Services.
- In the Services result pane, select Windows Management Instrumentation, and then click Restart.
Enable RemoteAdmin on the Windows Firewall
Run the Following PowerShell Command on the Remote Host:
netsh firewall set service RemoteAdmin enable
optionally: You can limit RemoteAdmin only from the TotalView Host or Subnet:
netsh firewall set service RemoteAdmin enable custom <TotalView IP Address (eg. 10.0.0.43)> or <subnet eg. 10.0.0.0/24>
To Enable Monitoring on a Domain Controller:
The TotalView Service Account needs to be added the the Following Active Directory Global Security Groups:
Performance Log Users
Performance Monitor Users
Remote Management Users
Distributed COM Users
Additional Permissions for Windows Service Enumeration:
Determine the SID for the TotalView Service Account
Run the Following PowerShell Command on a Domain Controller:
Get-AdUser -Identity <TotalView Service Account> | Select Name, SID, UserPrincipalName
Example:
Username: svc-totalview-min :
SID: S-1-5-21-581919217-3246652730-623169886-1156
Enable Service Enumeration for the TotalView Service Account:
Run the Following command locally
Replace The Highlighted SID with the SID for your service account:
sc sdset scmanager D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;CC;;;AC)(A;;CC;;;S-1-15-3-1024-528118966-3876874398-709513571-1907873084-3598227634-3698730060-278077788-3990600205)(A;;GA;;;S-1-5-21-581919217-3246652730-623169886-1156)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)
For Reference: Windows and WMI Calls TotalView Makes:
Machines that exist in the domain.
Active directory search with the following filter: "(&(objectCategory=computer))"
Machine name.
Win32_ComputerSystem
OS of a specific machine, RAM, Windows version.
Win32_OperatingSystem
CPU load.
Win32_Processor
Logged in users
Win32_LogonSession
Win32_LoggedOnUser
Processes
Win32_Process
Win32_PerfFormattedData_PerfProc_Process
Network utilization.
Win32_PerfFormattedData_Tcpip_NetworkInterface
Disk utilization.
Win32_LogicalDisk
Win32_DiskDrive
Win32_PerfFormattedData_PerfDisk_LogicalDisk
Services
Win32_Service