none
WMI "access denied" error for remote computer

    Question

  • Hi,

    I'm trying to query the Win32_PageFileUsage using c# and also using "WMI code creator" (http://www.microsoft.com/downloads/details.aspx?FamilyID=2cc30a64-ea15-4661-8da4-55bbc145c30e&displaylang=en) from a remote machine.

    Each call (using both methods) returns an "access denied" error.

    Both machines are running Windows 2003 Server OS.

    The machines are not part of a domain, so I've configured a twin account (same user credentials) on both machines, added the user to the administrators group on both machines and gave the needed permissions for WMI namespaces and for DCOM.

    When running both the "WMI Code Creator" and my program, I'm logged into the machine with the credentials of the created user.

    Firewall is off on both mahines.

    I can RDP to the machines with the credentials above.

    I've checked the local security policy and "Network access: Sharing and security model for local accounts" is set to "Classic".

    What can be the reason for this?

     

    Please help,

    Alex.

     

    Edit: Solved, the local policy prevented the connections.

    Tuesday, April 20, 2010 2:01 PM

Answers

  • This is from my documentation on enabling a Domain User to perform remote WMI calls:

    Enabling Remote WMI for a domain user
    This process allows a domain user to access WMI information remotely via a script.
    This domain account will  have no other access to the servers.

    In Computer Management, expand Services and Applications:
     
    Right-Click WMI Control and select Properties:
     
    Select the security tab, Expand Root, and select CIMV2. Click the Security button.
    Click Add… and add the WMI user.
     
    Highlight the WMI user, and click “Remote Enable”
     
    Click OK Twice, and close Computer Management


    Open a command prompt, and enable remote WMI through the firewall:
    netsh firewall set service RemoteAdmin enable <enter>


    Open DCOM Configuration by typing dcomcnfg at the command prompt, and hitting enter:
     
    Expand “Component Services”
    Expand “Computers”
    Right-Click “My Computer” and select Properties.
    Select the “Com Security” tab:
     
    Click “Edit Limits…” under the “Launch and Activation Permissions” section (the 2nd “edit limits” button from the top):
     
    Add the WMI user and give that account the “Remote Activation” permission:
     
    Click OK twice and close the “Component Services” window.

    Exit your command prompt, and the system is configured for remote WMI access for the WMI user, which is a Domain User account.

    Or, see my blog post:  Script remote DCOM / WMI access for a non admin

    Karl

     


    http://unlockpowershell.wordpress.com
    Tuesday, May 11, 2010 10:15 PM

All replies

  • WHAT local policy ???  (I have the same problem)
    • Proposed as answer by Kent Kuriyama Wednesday, July 17, 2013 3:37 AM
    Wednesday, April 21, 2010 12:59 PM
  • This is from my documentation on enabling a Domain User to perform remote WMI calls:

    Enabling Remote WMI for a domain user
    This process allows a domain user to access WMI information remotely via a script.
    This domain account will  have no other access to the servers.

    In Computer Management, expand Services and Applications:
     
    Right-Click WMI Control and select Properties:
     
    Select the security tab, Expand Root, and select CIMV2. Click the Security button.
    Click Add… and add the WMI user.
     
    Highlight the WMI user, and click “Remote Enable”
     
    Click OK Twice, and close Computer Management


    Open a command prompt, and enable remote WMI through the firewall:
    netsh firewall set service RemoteAdmin enable <enter>


    Open DCOM Configuration by typing dcomcnfg at the command prompt, and hitting enter:
     
    Expand “Component Services”
    Expand “Computers”
    Right-Click “My Computer” and select Properties.
    Select the “Com Security” tab:
     
    Click “Edit Limits…” under the “Launch and Activation Permissions” section (the 2nd “edit limits” button from the top):
     
    Add the WMI user and give that account the “Remote Activation” permission:
     
    Click OK twice and close the “Component Services” window.

    Exit your command prompt, and the system is configured for remote WMI access for the WMI user, which is a Domain User account.

    Or, see my blog post:  Script remote DCOM / WMI access for a non admin

    Karl

     


    http://unlockpowershell.wordpress.com
    Tuesday, May 11, 2010 10:15 PM
  • I had a similar problem in that I could not access WMI on a remote machine.  Using the wbemtest.exe program I would get the 'access denied' error message.  After searching for a solution I came across:

    http://msdn.microsoft.com/en-us/library/windows/desktop/aa826699(v=vs.85).aspx

    The article talks about the registry setting HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\LocalAccountTokenFilterPolicy.

    When I defined that DWORD value to 1 (it was not defined on my WIN7 machine) I was then able to use admin credentials to access WMI on this remote machine.  The WIN7 is a standalone box so this registry value may not apply for domain connected machines.

    Wednesday, July 17, 2013 3:44 AM