GPO for Service Account, WinRM and WMI

version 1.3

1. How to create a service account

a. open active directory users and computers.

b. expand tree and right click on users.

c. right click > new > click on new user and create a user

d. Check contents you set and click Finish button.

Make a service account as Local Administrator for all PCs (GPO)

Create GPO (Group Policy Objects) and link the GPO to a domain or OU (Organization Unit) containing all the computers. Below are the steps to follow,

Step 1: Creating a Security Group

Ø Log onto a Domain Controller, open Active Directory Users and Computers (dsa.msc)

Ø Create a security Group name it Service Account from Menu Select Action | New | Group

Ø Name the group as Service Account.

Ø Select the Group Scope

o Global groups typically include users and groups from within the same domain.

o Universal groups to group users that need to have a wide variety of access permissions throughout the domain or across domains in a forest. Universal groups contain users and groups from any domain in the forest.

Ø Now, select the new security group that is created > right click on it > properties. This will open a new window where we need add the service account we created before.

Ø A new window pops up on clicking “Add” button which is mentioned as 1 in Figure 8.

Ø Then provide the service account in object names to select box which is mentioned as 2 in Figure 8.

Ø Click on “Check Names” as shown in Figure 8 to check the existence of service account.

Note: If service account name is not found after clicking on “Check Names” then that means the service account is not properly created.

Note: If service account name is not found after clicking on “Check Names” then that is due to improper creation of service account.

Step 2: Create a Group Policy.

Ø Open Group Policy Management Console ( gpmc.msc )

Ø Right click on Group Policy Objects and select New.

Ø Type the name of the policy " Service Account GPO"

Step 3: Configure the policy to add the “Service Account GPO” group as Administrators

Here you will add the Service Account Group to the Service Account GPO policy and put them in the groups you wish them to use.

Ø Right click “Service Account GPO” Policy then select Edit.

Ø Expand Computer configuration\Policies\Windows Settings\Security Settings\Restricted Groups as shown in Figure 12.

Ø In the Left pane on Restricted Groups, Right Click and select “Add Group “.

Ø It pops up a new window for “Add Group” then click on “Browse” as shown in Figure 12.

Ø Enter the “Service Account” name in the “object names to select” box then check for the service account existence by clicking on “Check Names” as shown in Figure 12.

Ø Click ok to finish creation of new GPO policy under Restricted Groups

· Right click on newly created GPO and select Properties.

· A “service account properties” window pops up, indicated as 1 as shown in Figure 14.

· Click on “Add” button highlighted in Figure 14.

· That opens a “Group Membership” window indicated as 2 in Figure 14.

· Enter the administrators group name and then click on Browse button as highlighted in Figure 14.

· That opens a new window requesting to select groups, where “administrators” is entered in “Enter the object names to select” box.

· Click on “Check Names” to find the administrators group and click OK.

Step 4: Linking GPO

Ø Open Group policy management console -> expand Domains and select the domain on which the service account is created.

Ø Right click on domain and select option as “Link an existing GPO”. This will pop up a new window which allows us to select a service account which was created previously.

Ø Select the required service account and click OK

Example - As per the below screenshot, we have selected the domain “Ittest.local”

Step 5: Testing GPOs

Log on to a PC which is joined to the domain and then run gpupdate /force and check the local administrator's group. You should see Service Account in that group now. Make sure all PCs you want to access should be move to an OU and properly link above GPO. Service Account domain users can now access all PCs remotely as a local administrator.

2. Enable WinRM & wmi via Group Policy

1. Creating the policy

The policy could be a new GPO or using existing GPO in the Group Policy Management Console on the Domain Controller. In this example a new GPO is created with the name “WinRM & WMI”

2. Enable the WinRM service

Open editor window by right-clicking on the policy object and choose “Edit”.

To do this, select “WinRM & WMI” GPO which we have created and under that go to Computer Configuration > Preferences > Control Panel Settings > Services, then right click on the blank space and choose New > Service

The service parameter should be filled out as show below:

Note: Service should be set up to Startup “Automatic (Delayed Start)”

Click OK to save the parameters but don’t close the policy editor just yet.

3. Edit the settings – Allowing remote management access

Next, still on the same policy object, the next thing to configure is the list of IP addresses that can-do remote management access on the target computer. Go to Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Remote Management (WinRM) > WinRM Services. Then double click on “Allow remote server management through WinRM” to modify the setting as follows:

Add the Responder IP in the IPv4 Filter, Click OK to save the settings and again, do not close the policy editor just yet.

“We recommend using only the responder IP Address. If the domain(s) spread across multiple geographies, where some subnets may hide behind NATs, then we recommend using “*” for the duration of the engagement.”

4. Edit the settings – Opening Firewall ports

Go to Computer Configurations > Policies > windows setting > Security Settings > Windows Firewall and Advanced Security > Windows Firewall and Advanced Security then right click on Inbound Rules > New Rule

Select the Windows Remote Management from the predefined rule set as shown below, click Next

Leave the tick mark only on Domain and Private profile, click Next.

Set the action to Allow the connection.

Click Finish to save the configuration and do not close the policy editor.

Enable WMI service

5. Expand the tree to Computer Configuration>Policies>Windows Settings>Security Settings>Windows Firewall with Advanced Security>Windows Firewall with Advanced Security>Inbound Rules.

6. Add a New Rule:

· On the context menu, select New Rule, the New Rule Wizard opens, displaying the Rule Type page.

· Select Predefined, and then in the drop-down select Windows Management Instrumentation (WMI).

· Click Next.

· The Predefined Rules page opens.

· Choose WMI-In and DCOM-In.

· Click Next.

· The Action page opens.

· Select Allow the connection.

· Click Finish to save the configuration

3. Setup Firewall Exceptions:

  • Windows Firewall: Allow inbound remote administration exception

  • Windows Firewall: Allow ICMP exception

    • Using the Group Policy Management Editor, from the menu tree, click Computer Configuration > Policies > Administrative Templates: Policy definitions > Network > Network Connections > Windows Firewall or Windows Defender Firewall > Domain Profile.

    • Right-click on Windows Firewall: Allow inbound remote administration exception and click Edit.

    • Select Enabled.

    • Enter the IP address into the field called Allow unsolicited incoming messages from these IP addresses.

    • Click OK.

    • Right-click on Windows Firewall: Allow ICMP exception and click Edit.

    • Select Enabled.

    • Check Allow inbound echo request.

    • Click OK.

7. Apply the policy to the computer OU

As this is a computer policy, it must be applied to on the OU where to computer resides. As in this scenario, here’s how it looks when the policy is applied:

4. Verification:

To test WinRM on the local machine please use the below command

CMD: Test-WsMan [Target Hostname/IP address]

If WinRM has been successfully enabled, it will respond as show below:

To test the WinRM on the remote machine please use the below command

1. Run PowerShell

2. Type

· Enter-PSSession -ComputerName <RemoteMachine> -Credential <Domain>\BluService

· Press Enter

· You will be prompted for the password

· You should be connected to the remote machine now.

If the query is successful, you should see the output similar to the one shown below.

Last updated