locked
Remote WMI queries to SCCM 2007 root\sms\site_cod get access denied RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    I wrote a script a long time ago that creates a VM, then imports the computer into SCCM with the MAC address, and adds it to a collection with a mandatory OSD.

    It's been working for years, but recently (today) I tried running it and it gets Access Denied when it verifies no computers with the same name exist.

    This simple query fails with access denied: gwmi "SMS_R_System" -ComputerName sccm_server -namespace "root\sms\Site_sms"

    I can run this fine: gwmi Win32_BIOS -ComputerName sccm_server

    If I RDP into the sccm server, I can run the commands just fine, and I'm logged on with the same account in either instance.  My account is also a domain admin, I've checked WMI permissions and local admins have full control (which domain admins are a member of local admins).  Windows firewall is off, there's no other firewall in between, but like I said, it works for a different namespace, only root\sms\site_ seems to be acting up.  I'm on SCCM 2007 R2 SP2.

    I've been pulling what little hair I have left out to figure this out, even checked DCOM Config.

    Any thoughts or suggestions?

    ~Luke

    Wednesday, February 27, 2013 6:11 PM

Answers

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote

    Elevation. Did you elevate your PowerShell instance when running local?

    Jason | http://blog.configmgrftw.com

    Wednesday, February 27, 2013 9:07 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    no, it's ran under my user context.  Main thing is it's worked flawlessly on the same system for a long time.  I've tried multiple machines using wbemtest and I can connect to root\cimv2 without issue, but access denied when running "select * from SMS_R_System" against root\sms\site_cde.

    That being said, I did notice I cannot retrieve advertisement status anymore, I have to launch the console from the site server itself.  Melvin applied a patch recently, but no one else has complained of this, and others have ran my script without complaint.

    Let's see if he remembers anything about it...

    **EDIT**
    Forgot to add that running wbemtest locally on the site server allows the query of root\sms\site_cde just fine.

    ~Luke thephuck.com


    • Edited by cougar694u Friday, March 1, 2013 4:46 AM added infoz
    Friday, March 1, 2013 4:43 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Do you have the RPC ports open so you can do a remote WMI connection?

    http://www.sccm-tools.com http://sms-hints-tricks.blogspot.com

    Saturday, March 2, 2013 2:51 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Yes, the ports are open, as I can query root\cimv2 from remote machines.

    **EDIT**
    It is only root\sms\site_cde where I get access denied.

    ~Luke http://thephuck.com


    • Edited by cougar694u Sunday, March 3, 2013 12:07 AM
    Sunday, March 3, 2013 12:06 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    You could check the WMI permissions for that namespace, comparison with a dev\test site's permissions help you reconfigure them.

    Rob Marshall | UK | My Blog | WMUG | File CM12 Feedback | CM12 Docs | CM12 Release Notes

    • Proposed as answer by Garth JonesMVP Friday, December 26, 2014 9:32 PM
    • Marked as answer by Garth JonesMVP Saturday, January 3, 2015 5:10 PM
    Sunday, March 3, 2013 12:31 AM
  • Question
    Sign in to vote
    0
    Sign in to vote
    I've tried this, too.  My account is a DA, which is a member of local Admins, and local Admins have full control to WMI.  I've checked this twice for sanity reasons :P

    ~Luke http://thephuck.com

    Monday, March 4, 2013 8:32 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    I tried removing and adding permissions hoping to reset the ACLs, but still get access denied remotely querying root\sms\site_wss.  It works fine when locally, or querying root\cimv2 remotely.

    **EDIT**
    Also checked this: http://technet.microsoft.com/en-us/library/bb932151.aspx

    Still no change

    ~Luke http://thephuck.com


    • Edited by cougar694u Wednesday, March 6, 2013 9:46 PM
    Wednesday, March 6, 2013 9:21 PM