Use Active Directory and Group Policy to push WMI monitoring permissions to all domain-joined machines at scale — without configuring each server individually.
In domain environments, manually configuring WMI permissions on every monitored server is impractical. This guide covers how to create a dedicated CloudMon monitoring account in Active Directory, deploy DCOM and firewall permissions via a Group Policy Object (GPO), and complete the WMI namespace step that must still be done locally on each target machine. The result is a scalable, least-privilege setup that allows the CloudMon Windows probe to collect WMI metrics across all domain-joined servers without using an administrator account.
Note: This guide assumes Active Directory is running on Windows Server 2008 R2 or later, and that target machines are Windows Server 2012 R2 or later. Steps are performed on a Domain Controller unless stated otherwise. The WMI namespace permission step (Step 4) must still be completed manually on each monitored server — it cannot be deployed via GPO.
Create a dedicated, low-privilege domain user account that CloudMon will use as its WMI credential. Do not reuse an existing account or assign it any elevated roles.
Open Active Directory Administrative Center on a Domain Controller. Navigate to your domain → Users. Right-click and select New → User. Fill in the details as follows, then click OK.
| Field | Recommended Value |
| User UPN logon | cloudmon@yourdomain.com |
| Member Of | Domain Users only — do not add to any admin or privileged groups |
| Password options | Set a strong password. Enable "Password never expires" to prevent monitoring disruption. |
Important: Keep this account's membership strictly limited to Domain Users. Adding it to Domain Admins, Administrators, or any other elevated group defeats the purpose of least-privilege monitoring and introduces unnecessary security risk.
Create a dedicated Group Policy Object for CloudMon WMI access and link it to the appropriate scope in your domain. Linking at the domain root ensures all domain-joined servers receive the policy, including Domain Controllers and member servers such as a Veeam backup server.
Open Group Policy Management on a Domain Controller.
Right-click your domain name in the left pane and select Create a GPO in this domain, and Link it here.
Name the GPO CloudMon WMI Access and click OK. The GPO now appears linked at the domain root and will apply to all machines in the domain.
Scope note: If you only want the policy to apply to specific servers, link the GPO to the OU containing those servers instead of the domain root, or use Security Filtering to target specific machine accounts. For Domain Controllers, ensure the GPO is also linked to (or inherited by) the Domain Controllers OU.
DCOM permissions control whether the CloudMon account can establish a remote connection to the WMI service on each target machine. These must be set for both access and launch/activation. Right-click CloudMon WMI Access in Group Policy Management and select Edit. Navigate to Computer Configuration → Policies → Windows Settings → Security Settings → Local Policies → Security Options.
DCOM: Machine Access Restrictions
Double-click DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax.
Check Define this policy setting,
then click Edit Security.
Click Add, enter YOURDOMAIN\cloudmon and
click Check Names, then OK. With the user selected, tick Allow for the following permissions, then click OK.
| Permission | Allow |
| Local Access | ✓ |
| Remote Access | ✓ |
DCOM: Machine Launch Restrictions
Double-click DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax. Check Define this policy setting, then click Edit Security. Click Add, enter YOURDOMAIN\cloudmon and click Check Names, then OK. Tick Allow for all four permissions below, then click OK.
| Permission | Allow |
| Local Launch | ✓ |
| Remote Launch | ✓ |
| Local Activation | ✓ |
| Remote Activation | ✓ |
The CloudMon probe connects to target machines over the network. Windows Firewall must allow inbound WMI traffic on each monitored server. This can be enforced centrally through the same GPO.
In the GPO editor, navigate to Computer Configuration → Policies → Windows Settings → Security Settings → Windows Firewall with Advanced Security → Windows Firewall with Advanced Security → Inbound Rules. Right-click Inbound Rules and select New Rule. Select Predefined, choose Windows Management Instrumentation (WMI) from the list, and click Next. Tick all three WMI rules in the list, click Next, select Allow the connection, and click Finish.
Note: The three predefined WMI rules cover the WMI service, the WMI provider host, and asynchronous WMI callbacks. All three are required for reliable CloudMon metric collection.
This step cannot be deployed via GPO and must be performed locally on every monitored server — including each Domain Controller and the Veeam backup server. The CloudMon account needs explicit rights within the WMI namespace tree so it can query classes under root\cimv2.
On each target server, press Win + R, type wmimgmt.msc and click OK.
Right-click WMI Control (Local) and select Properties.
Click the Security tab, select Root in the namespace tree, then click the Security button.
Click Add, enter YOURDOMAIN\cloudmon, click Check Names, then OK. With the account selected, click Advanced.
Highlight the cloudmon row and click Edit.
In the Applies to drop-down, select This namespace and subnamespaces. Tick Allow for the permissions below, then click OK through all dialogs.
| Permission | Purpose |
| Execute Methods | Required to invoke WMI methods on queried classes. |
| Enable Account | Activates the account so it can execute WMI queries. |
| Remote Enable | Allows remote WMI connections from the CloudMon probe. |
| Read Security | Allows the account to read security descriptors on WMI objects. |
Important: In the Applies to drop-down, you must select This namespace and subnamespaces. If left as the default This namespace only, all queries against root\cimv2 will return Access Denied. This step must be repeated on every monitored server — it cannot be pushed via GPO.
On some hardened Windows configurations, UAC remote token filtering can strip privileges from non-admin accounts connecting over the network via WMI, causing incomplete or empty results even when all other permissions are correctly set. If CloudMon returns partial data or missing metrics after completing the steps above, apply this registry fix on the affected server.
This can be deployed via GPO Preferences or applied manually. To push it via GPO, navigate to Computer Configuration → Preferences → Windows Settings → Registry, right-click and select New → Registry Item, and configure the following values.
| Field | Value |
| Hive | HKEY_LOCAL_MACHINE |
| Key Path | SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system |
| Value name | LocalAccountTokenFilterPolicy |
| Value type | DWORD |
| Value data | 1 (disables remote UAC filtering) |
Force the GPO to apply immediately on each target server rather than waiting for the default 90-minute refresh cycle. Open a Command Prompt as Administrator on each monitored server and run:
gpupdate /force
To confirm the CloudMon WMI Access GPO was applied successfully, run the following and look for it under Applied Group Policy Objects in the Computer Settings section:
gpresult /r
Then verify WMI access from the CloudMon probe machine using PowerShell. Run the following command and supply the cloudmon account credentials when prompted:
Get-WmiObject -Class Win32_OperatingSystem `
-ComputerName "<target-server>" `
-Credential (Get-Credential)
A successful response returns OS details confirming WMI access is working. Once verified on all servers, add the credential in CloudMon under Settings → Credentials → Add WMI Credential and associate it with each monitored device.
Firewall: If GPO firewall rules have not yet propagated, you can enable WMI inbound rules manually on a target server by running the following command as Administrator:
netsh advfirewall firewall set rule group="Windows Management Instrumentation (WMI)" new enable=yes
| Issue | What to check |
| WMI queries return Access Denied | Confirm the WMI namespace step (Step 5) was completed on that specific server. Verify that This namespace and subnamespaces was selected in wmimgmt.msc, not This namespace only. Also check that the GPO has been applied via gpresult /r. |
| GPO not applying to Domain Controllers | Domain Controllers reside in the Domain Controllers OU, which has its own default GPO. Ensure the CloudMon WMI Access GPO is linked at the domain root and that its link order gives it sufficient priority, or link it directly to the Domain Controllers OU as well. |
| DCOM connection is refused | Confirm the GPO DCOM Launch Restrictions are applied and include Remote Launch and Remote Activation for the cloudmon account. Verify that Windows Firewall inbound WMI rules are enabled on the target server. |
| Metrics are incomplete or partially missing | UAC remote token filtering may be stripping the account's effective permissions. Apply the LocalAccountTokenFilterPolicy registry fix described in Step 6 on the affected server and re-test. |
| Veeam server not receiving the GPO | Confirm the Veeam server is domain-joined and its computer account is within the GPO's scope. Run gpupdate /force on the Veeam server and check gpresult /r to confirm the CloudMon WMI Access GPO appears under Applied Group Policy Objects. |