[This is preliminary documentation and subject to change.]
WBEM supports several features that enable native Windows NT security to be transparently integrated with WBEM security. Whenever an NTLM user logs on, his or her membership in various groups is checked. If the user is a member of any or all groups, he acquires the union of permissions assigned to those groups.
There need not be a __User instance associated with the user; he or she only has to be a member of one of the groups already in the security access database of Windows NT. In this way, the Windows NT User Manager can become the tool for controlling group membership, thereby simplifying the administration of access to WBEM.
In most cases, instances of the __NTLMGroup class are created using the WBEM User Manager, permissions are assigned, and no other security instances are created.
There are a few built-in groups on Windows NT platforms. All users who belong to the local Administrators group are given access to all CIMOM namespaces with full access at all times. On some Windows NT workstations, the Domain Administrators group is often automatically added to the local Administrators group when the machine joins the domain. This is outside the control of CIMOM and under the control of the user through the Windows NT User Manager.
A Windows NT local group called WbemUsers is automatically created by CIMOM when it starts. The default settings for this gorup are read-only access to all namespaces except for root\security. There is no access to the Root\Security namespace. There are no members of this group by default.
Most CIMOM access can be controlled entirely from the Windows NT User Manager immediately after installation. At this time, the following permissions are in effect: