... or functional practicality or whatever. it's interesting that "secure" has made some things especially troublesome! for instance, out of the box, after applying service pack 1, querying wmi will fail. how do you fix it? you add the account you're using to the local administrators group. now that doesn't sound right since the idea is that we're securing things down. the challenge was to take a user account without elevated permissions and grant it the rights it needs to query wmi without the exposure of adding it to local administrators. it turns out there are three things you have to do to make this work: add the user to "distributed com users" local group grant permission to the wmi namespace for which you wish you allow access (in our case, cimv2) grant permission to service control manager add the user to "distributed com users" local group: not much to explain for this. simply add the account to the local group named "