Remote WMI queries to SCCM 2007 root\sms\site_cod get access denied RRS feed

  • Question

  • I wrote a script a long time ago that creates a VM, then imports the computer into SCCM with the MAC address, and adds it to a collection with a mandatory OSD.

    It's been working for years, but recently (today) I tried running it and it gets Access Denied when it verifies no computers with the same name exist.

    This simple query fails with access denied: gwmi "SMS_R_System" -ComputerName sccm_server -namespace "root\sms\Site_sms"

    I can run this fine: gwmi Win32_BIOS -ComputerName sccm_server

    If I RDP into the sccm server, I can run the commands just fine, and I'm logged on with the same account in either instance.  My account is also a domain admin, I've checked WMI permissions and local admins have full control (which domain admins are a member of local admins).  Windows firewall is off, there's no other firewall in between, but like I said, it works for a different namespace, only root\sms\site_ seems to be acting up.  I'm on SCCM 2007 R2 SP2.

    I've been pulling what little hair I have left out to figure this out, even checked DCOM Config.

    Any thoughts or suggestions?


    Wednesday, February 27, 2013 6:11 PM


All replies

  • Elevation. Did you elevate your PowerShell instance when running local?

    Jason | http://blog.configmgrftw.com

    Wednesday, February 27, 2013 9:07 PM
  • no, it's ran under my user context.  Main thing is it's worked flawlessly on the same system for a long time.  I've tried multiple machines using wbemtest and I can connect to root\cimv2 without issue, but access denied when running "select * from SMS_R_System" against root\sms\site_cde.

    That being said, I did notice I cannot retrieve advertisement status anymore, I have to launch the console from the site server itself.  Melvin applied a patch recently, but no one else has complained of this, and others have ran my script without complaint.

    Let's see if he remembers anything about it...

    Forgot to add that running wbemtest locally on the site server allows the query of root\sms\site_cde just fine.

    ~Luke thephuck.com

    • Edited by cougar694u Friday, March 1, 2013 4:46 AM added infoz
    Friday, March 1, 2013 4:43 AM
  • Do you have the RPC ports open so you can do a remote WMI connection?

    http://www.sccm-tools.com http://sms-hints-tricks.blogspot.com

    Saturday, March 2, 2013 2:51 AM
  • Yes, the ports are open, as I can query root\cimv2 from remote machines.

    It is only root\sms\site_cde where I get access denied.

    ~Luke http://thephuck.com

    • Edited by cougar694u Sunday, March 3, 2013 12:07 AM
    Sunday, March 3, 2013 12:06 AM
  • You could check the WMI permissions for that namespace, comparison with a dev\test site's permissions help you reconfigure them.

    Rob Marshall | UK | My Blog | WMUG | File CM12 Feedback | CM12 Docs | CM12 Release Notes

    • Proposed as answer by Garth JonesMVP Friday, December 26, 2014 9:32 PM
    • Marked as answer by Garth JonesMVP Saturday, January 3, 2015 5:10 PM
    Sunday, March 3, 2013 12:31 AM
  • I've tried this, too.  My account is a DA, which is a member of local Admins, and local Admins have full control to WMI.  I've checked this twice for sanity reasons :P

    ~Luke http://thephuck.com

    Monday, March 4, 2013 8:32 PM
  • I tried removing and adding permissions hoping to reset the ACLs, but still get access denied remotely querying root\sms\site_wss.  It works fine when locally, or querying root\cimv2 remotely.

    Also checked this: http://technet.microsoft.com/en-us/library/bb932151.aspx

    Still no change

    ~Luke http://thephuck.com

    • Edited by cougar694u Wednesday, March 6, 2013 9:46 PM
    Wednesday, March 6, 2013 9:21 PM