Skip to content
  • There are no suggestions because the search field is empty.

Creating and Using a Limited Service Account for WMI & RPC Access

This guide outlines how to create and configure a limited service account in Active Directory for use with WMI and RPC-based remote access — commonly used by Block 64 tools like Blockbox. It includes step-by-step instructions for setting up the account, creating necessary firewall and Group Policy configurations, and applying required security permissions.

1. Create the Service Account and Security Group

  1. Create a service account in Active Directory.

    • Set the password to never expire.

    • Example: svc_blockbox_account


  2. Create a Global Security Group (e.g., Blockbox Accounts) and add the service account to it.

    • This group will later be assigned permissions via GPO.

2. Create the Group Policy Object (GPO)

Create a new GPO to configure access to WMI, Remote Registry, and DCOM:

  1. In Group Policy Management, create a new policy (e.g., Blockbox WMI Access).

  2. Edit the GPO to include all subsequent configuration steps in this guide.

3. Create the WMI-Inbound Firewall Rule

This step enables inbound WMI traffic through the Windows Firewall.

💡 If your environment already allows WMI traffic through another GPO, this step may be skipped.

  1. Navigate to:
    Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall > Inbound Rules

  2. Add a new predefined rule for Windows Management Instrumentation (WMI).

  3. Leave the default allowance of all inbound WMI connections.

  4. Select Allow the connection and complete the rule creation.


4. Allow Remote Registry Access

  1. In the GPO, go to:
    Computer Configuration > Policies > Windows Settings > Registry

  2. Add a new key:
    MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg

  3. In the permissions tab, add the Blockbox Accounts group and grant Read access.

5. Allow DCOM Launch and Access

  1. In the GPO, navigate to:
    Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options

  2. Edit the following settings:

    • DCOM: Machine Access Restrictions

      • Add the Blockbox Accounts group

      • Allow Local Access and Remote Access

    • DCOM: Machine Launch Restrictions

      • Add the same group (Blockbox Accounts)

      • Allow Local Launch, Remote Launch, Local Activation, and Remote Activation

6. Allow Read Access to WMI Namespaces Using PowerShell

WMI namespace permissions cannot be fully applied using Group Policy Objects (GPO) alone. To grant read access to the root\cimv2 namespace (used by the Block 64 Discovery Agent), you must run a PowerShell script on each endpoint to configure security settings locally.

🛠️ We recommend using a startup script for machine-level execution — though other deployment tools like Intune, SCCM, or RMM platforms can also be used.

a) Download the Script

Use the official Block 64 script available here:
Creating a Limited Service Account: PowerShell Script

This script:

  • Grants read permissions to the root\cimv2 WMI namespace

  • Applies the permission to the security group created in Step 1 (e.g., Blockbox Accounts)

b) Save the Script to a Shared Folder

Store the .ps1 script in a secure and accessible shared folder, such as:

\\DomainController\Netlogon


Update folder permissions to ensure Domain Computers can read and execute the script:

  1. Right-click the folder > Properties > Security

  2. Click Edit > Add

  3. Add Domain Computers

  4. Grant the following permissions:

    • ✅ Read & execute

    • ✅ List folder contents

    • ✅ Read

c) Deploy the Script via Group Policy (Startup Script)

To automate WMI namespace permissions, deploy the PowerShell script through a GPO as a Startup Script:

      1. In the Group Policy Management Editor, navigate to:
        Computer Configuration > Policies > Windows Settings > Scripts (Startup/Shutdown)

      2. Open the PowerShell Scripts tab and click Add

      3. Browse to the script stored in your network share (e.g., \\DomainController\Netlogon\)

      4. In the Script Parameters field, input the parameters required by the script.

        If you're using the default Block 64 script, the syntax is: 

        root add "<DOMAIN>\<SECURITY GROUP>" Enable,MethodExecute,RemoteAccess,ReadSecurity


        For example, if your domain is COMPANY and you previously created a security group called Blockbox Accounts, your parameter would look like:

        root add "COMPANY\Blockbox Accounts" Enable,MethodExecute,RemoteAccess,ReadSecurity

💡 Tip: Be sure the security group name matches exactly, and that the script is accessible to all machines affected by the GPO.

🔎 Startup scripts run with system-level permissions, ensuring the WMI namespace is correctly configured on each endpoint before any user login.

7. Add Remote Management Users Group to the Service Account

Add the Blockbox Accounts security group to the built-in Remote Management Users group in Active Directory.

  • This ensures that all endpoints allow the group to perform WinRM calls.

8. Attach Policy to Organizational Unit

Apply the GPO to the appropriate Organizational Unit (OU):

  1. In Group Policy Management, select your GPO.

  2. Under Security Filtering, add the Domain Computers group.

  3. Link the GPO to the target computer OU.

✅ For changes to take effect, endpoints must:

  • Reboot

  • Or run gpupdate /force

  • Or wait for the next GPO refresh cycle