none
Remote WMI queries to a Windows 2008 server in a workgroup RRS feed

  • Question

  • I have a program that runs from a server inside my domain and connects to each server in our environment and gathers details from WMI and stores that data into a database.  This program is initiated from a scheduled task and runs as a domain account, using those credentials to perform the WMI query.

    We have a few servers in our DMZ that are not member of a domain, they are in a workgroup.  To query those we simply create a local account with the same username and password as the domain account under which the scheduled task runs, and it connects just fine.  That is, until Windows 2008.

    Initially the WMI query was timing out, but I enabled WMI in Windows Firewall on the workgroup 2008 servers and now the query comes back with Error: 70 : Permission denied

    I've made the local user (whose username & password are the same as the domain account) an administrator, but same results.  Any ideas what I would need to do to have this work?
    Wednesday, March 12, 2008 10:03 PM

Answers

  • Hi Bryon,

     

    Yes, there shoulb be a difference between Administrator and users even in Administrators built-in group for the UAC (User Account Control) feature in Windows Vista and Windows Server 2008.

     

    Under UAC, accounts in the local Administrators group have two access tokens, one with standard user privileges and one with administrator privileges. Because of UAC access token filtering, a remote WMI query is always run under the standard user token.

     

    So for a computer in workgroup, even if the account is in the Administrators group, UAC filtering means that a script runs as a standard user. A best practice is to create a dedicated local user account on the target computer with explicit DCOM and WMI namespace access rights granted specifically for remote connections.

     

    1.    Open the Component Services by run 'dcomcnfg' in command prompt.

    2.    Expand Component Services--->Computers nodes and right click My Computer.

    3.    In the COM Security tab, explicitly grant the AdminB local and remote Lauch and Activation permissions in both 'Edit Limits…' and 'Edit Default…'.

    4.    Open the WMI management by run 'wmimgmt.msc' in command prompt.

    5.    Connect it to local, right click--->Properties--->Security. Grant the AdminB local account 'Execute Methods' and 'Remote Enable' permission apply onto 'This namespace and subnamespaces'.

     

    Note: The permissions for AdminB in DCOM and WMI namespace is much depend on what will the script do. Please make necessary change to fulfill the specific require.

     

    Hope it helps.

     

    Monday, March 24, 2008 9:58 AM
    Moderator
  • When I followed your instructions I came to a -2147217405 error (which a different access denied message than we were receiving before).  However, your suggestions gave me a direction to tinker and I was able to get everything working

    Here's what I had to do:
    1. Add AdminB to local administrators group
    2. Run dcomcnfg.  Drill into Component Service until you can right click and choose properties on My Computer.
    3. On the COM Security tab, select Edit Limits & Edit Defaults under Launch and Activation Permissions.  Add the AdminB account explicitly and give allow on all attributes.
    4. Go to Control Panal, Users.  Turn off UAC. 

    I didn't have do anything with WMIMgmt...perhaps because the user was in the administrators group.  Thanks for your help!

    Monday, March 24, 2008 3:34 PM

All replies

  • Hello,

     

    I made a test on the remote query of Windows Server 2008 workstation.

     

    To simulate your environment, I have a VBS script that remotely query a Windows Server 2008 workstation-based computer. With the same username and password both in domain and workstation-based Windows Server 2008 provided in scheduled task, the script can correctly query the workstation-based Windows Server 2008.

     

    To narrow down this issue, there are several questions and notes that should be helpful.

     

    1.    Can you achieve the query when using WMImgmt.msc that remotely connect to the Windows Server 2008? (providing local user credential)

     

    2.    Please make sure that 'LAN Manager authentication level' setting under 'Local Computer Policy--->Computer Configuration--->Windows Setting--->Security setting--->Local Policies--->Security Options' on both computers is set to send LM & NTLM responses.

     

    3.    What about to try the query from another workgroup-based computer in DMZ?

     

    Hope this helps.

     

    • Proposed as answer by MikeCollier Thursday, July 12, 2012 6:44 AM
    Tuesday, March 18, 2008 11:02 AM
    Moderator
  • Thank you very much for attempting to replicate this issue.  These are new installations and are not customized except for some loosening of the Windows Firewall rules.

    I tried WMImgmt.msc from both a domain computer and from another computer in the workgroup, before and after setting LAN Manager Auth level to LM & NTLM and in all cases I got back "Failed to connect to \\server because 'Win32: Access is denied'"
    Tuesday, March 18, 2008 6:32 PM
  • It looks like a lot of people have solved a very similar problem (on other OSes) by changing the "Network Access: Share and security model for local accounts" to Classic instead of Guest only.  Reading through the description that would seem to apply.  The description even says that the default for domain computers is Classic while stand-alone computers is Guest Only.  However, that is not accurate.  These computers have never been in a domain and are already set to Classic.
    Tuesday, March 18, 2008 6:49 PM
  • Hello,

     

    Yes, for servers the "Network Access: Share and security model for local accounts" setting is always set to Classic no matter it is standalone or domain joined.

     

    When you run WMImgmt.msc  on the domain-joined computer, I'd like to know which user account is currently log on.

     

    When you remotely connect a computer without providing explicit user name and password, WMI uses the credential of the current Windows logged on user. To use a alternative user credential to connect, try 'wbemtest':

     

    1.    On a domain-joined computer, type 'wbemtest' to open WMI Tester.

    2.    Click Connect. In the Namespace textbox, type '\\ip_address\root\cimv2' (replace the ip_address with the IP of the workstation-based computer in DMZ)

    3.    Provide the User and Password that reside in the workstation-based computer.

    4.    Leave Impersonation level and Authentication level as defaults.

     

    As you mentioned that it is a new installation, this means DCOM, WMI namespace permissions are all defaults and the test should works. If the test fails, we have to consider that some default permissions and user right settings have been changed.

     

    Thursday, March 20, 2008 10:50 AM
    Moderator
  • The account I want to use on the domain computer is corpdomain\adminB.  I have created a local account on the workgroup servers named adminB with the same password as the domain account and added it to the local Administrators group. 

     

    This morning I rebuilt the OSes to make sure that they are completely default. 

     

    I tried the WBEMTest from the domain computer using adminb and got access denied.  I then tried the same thing from a different server in the workgroup and also got access denied.  I then tried using administrator instead of adminB.  That gave me a RPC error instead of access denied!  So, I turned off the Windows Firewall and tried again.  Administrator was able to connect successfully from either the domain computer or the workgroup computer.  However, adminB still fails from both domain and workgroup with access denied. 

     

    I think we are getting close. 

     

    It appears that Administrator has some rights that adminB does not have even though both are in the local Administrators group.  Additionally there is some configuration that needs to happen to the Windows Firewall to allow this remote connection.  Any idea on those?

    Thursday, March 20, 2008 4:54 PM
  • Well, the exception in Windows Firewall is WMI (duh).  So, the only question left is what is the difference between the administrator account and a different account which is in the administrators group?

    Thursday, March 20, 2008 5:23 PM
  • Hi Bryon,

     

    Yes, there shoulb be a difference between Administrator and users even in Administrators built-in group for the UAC (User Account Control) feature in Windows Vista and Windows Server 2008.

     

    Under UAC, accounts in the local Administrators group have two access tokens, one with standard user privileges and one with administrator privileges. Because of UAC access token filtering, a remote WMI query is always run under the standard user token.

     

    So for a computer in workgroup, even if the account is in the Administrators group, UAC filtering means that a script runs as a standard user. A best practice is to create a dedicated local user account on the target computer with explicit DCOM and WMI namespace access rights granted specifically for remote connections.

     

    1.    Open the Component Services by run 'dcomcnfg' in command prompt.

    2.    Expand Component Services--->Computers nodes and right click My Computer.

    3.    In the COM Security tab, explicitly grant the AdminB local and remote Lauch and Activation permissions in both 'Edit Limits…' and 'Edit Default…'.

    4.    Open the WMI management by run 'wmimgmt.msc' in command prompt.

    5.    Connect it to local, right click--->Properties--->Security. Grant the AdminB local account 'Execute Methods' and 'Remote Enable' permission apply onto 'This namespace and subnamespaces'.

     

    Note: The permissions for AdminB in DCOM and WMI namespace is much depend on what will the script do. Please make necessary change to fulfill the specific require.

     

    Hope it helps.

     

    Monday, March 24, 2008 9:58 AM
    Moderator
  • When I followed your instructions I came to a -2147217405 error (which a different access denied message than we were receiving before).  However, your suggestions gave me a direction to tinker and I was able to get everything working

    Here's what I had to do:
    1. Add AdminB to local administrators group
    2. Run dcomcnfg.  Drill into Component Service until you can right click and choose properties on My Computer.
    3. On the COM Security tab, select Edit Limits & Edit Defaults under Launch and Activation Permissions.  Add the AdminB account explicitly and give allow on all attributes.
    4. Go to Control Panal, Users.  Turn off UAC. 

    I didn't have do anything with WMIMgmt...perhaps because the user was in the administrators group.  Thanks for your help!

    Monday, March 24, 2008 3:34 PM
  • Hi Miles
    We had sorted out the firewall issues and were left with an "Access denied" issue to the WMI.

    Thanks for the answer - worked perfectly for Total Network Inventory software that would access a Windows 2008 server as "Administrator" but not as a user with administration rights.  The software was on an XP and both machnies were in a workgroup.

    Cheers Don
    Friday, November 7, 2008 12:32 AM
  • Sorry this is such an old thread, but it is describing my same problem but without resolution.

    I have a remote WMI monitor which is not working and cannot retrieve from a domain-joined Windows Server 2008 Standard Edition (Version 6.0.6002 SP2 - the R1 64bit). 

    I have ruled out firewall, because I can open Computer Management MMC and view system properties or run "SC Query" command (two examples). But when using WMI cannot retrieve WMI data!

    I opened both System32 and SysWOW64 versions of PowerShell.exe and issued the "WinRM QuickConfig" commands.

    I have updated the DCOM and WMI security properties as described here (and elsewhere, several other Google hits, for example, this one: "Configuring DCOM and WMI to Remotely Retrieve Windows 2008 Server Events" (URL: http://www-01.ibm.com/support/docview.wss?uid=swg21681046). I have explicitly added the domain account in the security properties. The account is also a member of the local Administrators group which is also granted security privileges.

    I have also set LocalAccountTokenFilterPolicy to 1 in the registry following instructions at "Disabling User Account Control (UAC) on Windows Server" (URL: https://support.microsoft.com/en-us/kb/2526083) which contains this note: "If UAC is enabled, local accounts that are subject to token filtering cannot be used for remote administration over network interfaces other than Remote Desktop (for example, through NET USE or WinRM). A local account that authenticates over such an interface obtains only the privileges that are granted to the account's filtered token. If UAC is disabled, this restriction is removed. (The restriction can also be removed by using the LocalAccountTokenFilterPolicy setting that is described in Microsoft Knowledge Base article 951016.)" See also URL: https://support.microsoft.com/en-us/kb/951016

    Restarted server.

    But none of these steps work!!  I still cannot do remote WMI queries. I can do an SNMP MIB walk, RDP, and use remote tools like services.msc, eventvwr.msc, etc.


    George Perkins


    • Edited by George Perkins Wednesday, August 24, 2016 9:52 PM add info
    Wednesday, August 24, 2016 9:48 PM