none
Cannot access remote computer management (MMC) between two workgroup Win7 PCs RRS feed

  • Question

  • It's impossible to even understand how unbelievably pissed off I am right now. You know, when you tell a network administrator, that "access is denied" to his own home PCs? Hmm? Do you? You can't even imagine. I DO NOT take kindly to my computers giving me an error saying "Access denied". With that said, let's continue.

    "SERVICES".
    "ACTIONS -> CONNECT TO ANOTHER COMPUTER"
    Enter computer name.
    OK.
    "ERROR 5: ACCESS IS DENIED"

    This is not difficult. This is standard functionality in Windows. All admin accounts. Forced login via "net use" before connecting. Stored credentials. Same passwords and logins on each. Everything. Exactly. As. It. Should. Be.

    3 computers, all cannot manage each other. 2 Win7 Pro x64 and 1 Win7 Home x64.
    Comp1 -> Comp3 [FAIL]
    Comp3 -> Comp1 [FAIL]
    Comp2 -> Comp3 [FAIL]
    Comp3 -> Comp2 [FAIL]
    Comp2 -> Comp1 [FAIL]
    Comp1 -> Comp2 [FAIL]

    All firewalls are disabled. No matter what, if I do it from Computer Management, or from Services, or from Regedit... EVERY SINGLE ONE fails. I simply CANNOT ACCESS these remote services and it's pissing me right off.

    And above all, how the hell has nobody on the internet ever even tried using this functionality before? How? Please tell me. There are zero relevant google results for this situation. Not a single person using Windows 7 has ever had this issue before. Has nobody even tried? Does nobody use "Connect to another computer"?

    If you read this post, at LEAST have the decency to reply. Unless you're from Microsoft, and are going to regurgitate some "how to open computer management" page and mark it as the answer, in standard form... all too used to that behavior by now.

    Sunday, March 6, 2011 4:51 AM

Answers

  • The last few posts in this topic (using Easy Transfer from a good system, export Shared Windows Settings only, import on broken PC), worked to fix the DCOM issue, but I still... yeah, still couldn't access Services on ZBOX. 

    Then, with the help of some virtual machines and fresh installs, I got it nailed. UAC.

    I set up identical Win7 RTM x64 Home Premium virtual machines* and I saw exactly the same behavior there too, on brand new systems. So I knew it wasn't a problem with my system. And, recalling the event log from auditing failures, it seems that my user account was being denied access to the services DB. As it should be with UAC without elevation.

    See, when UAC is enabled, the "admin user account" is not an admin. The system utilizes "UAC virtualization", which basically "RunAs"'s a process with elevated privileges as needed. Since network access uses the local user account, that's why you don't get (and never will get) share access to your Program Files and Windows folders.

    So, on the test virtual machines, I set them both to "Never prompt". Then rebooted. Then tested it. Both ways connected successfully to the Services manager. OK. So I enabled UAC on the first VM and left it off on the other, and rebooted. Now the second VM (UAC disabled) couldn't access the first (UAC enabled) anymore. But the first (enabled) could access the second (disabled). Pretty much nailed that one now.

    Still shocked that nobody has bothered trying this before, as evidenced by the lack of Google results... I guess there will be Google results now (congrats!) ;)

    * - and in the process of getting them to both run at the same time, I also resolved a bug in VMware Player that carried over from a VMware memory management issue in Win7 SP1 - so yay, now my Zbox can run my Virtual WHS without crapping out!
    • Marked as answer by FalconFour Sunday, March 6, 2011 7:36 PM
    Sunday, March 6, 2011 7:35 PM

All replies

  • Found another few relevant oddities, with the help of a user on another forum I posted this too. Cross-posting this reply for reference... might be a DCOM problem on at least one of these PCs.

    Quote:
    Originally Posted by Fëanor View Post
    This definitely works in Win7. Hmmm, you've covered a lot of bases already but here are the ideas I have left:

    Are you running Active Directory or are these all local logins?

    All the software firewalls are disabled, how about other LAN hardware? Knowing you, there is a Layer 3 switch or a router somewhere in the mix here; is it configured to allow all LAN traffic between these IP's? Pretty sure that WMI, RPC, or DCOM all use TCP port 445.

    What's the status of the Remote Procedure Call service on all the PC's? DCOM Server Process Launcher service? Windows Management Instrumentation?

    Is anything being logged in the Event Viewer that gives you more info about the credentials it is using, etc.?

    Under Admin Tools > Component Services right click on My Computer and select the COM Security tab. As a test maybe Edit the Launch and Activation permissions to allow Everyone remote launch and activation? Doesn't seem likely since the Administrators group already has that access. You could also try explicitly adding the admin user rather than implicitly doing it through the group.
    I appreciate a good geek... so much 

    Funny, because earlier tonight I had a friend check if his systems work right too... they didn't (access denied). I'll try those tips (and probably edit back with results), but... how's your system set up? Are they on a domain? Using homegroup? Any shares on the systems? Is UAC enabled or disabled?

    Strange, after that test I had my friend do, I had it pegged as a UAC issue (I leave UAC enabled on all my computers)... seems it was using the local user account without UAC virtualization, which doesn't have permission to access those things without UAC elevation. I can connect to Computer Management on the affected systems, but I can't open any of the functions (disk management, devmgmt, services, events, etc). If I go to Services directly and "connect to another computer", I just get "access denied" after a short delay.

    In the event log, I enabled audit-on-failure for all options in Local Security Policy, and the only entry in the security log after doing a "failed connect" is one failure to... well... denied access to *checks log*... OH MY GOD WTF, flood of "The Windows Filtering Platform has blocked a connection" events for Apache... damnit, I bet my website's been down all night! Probably because I disabled the Firewall service. Ugh. Anyway... denied access t--... great, the end of the log was cut off due to the 32,000+ Apache connections that were blocked over the past several hours. Thanks, Windows.  Well, according to my Google history, it was "connect to service controller" and "enumerate services" that it was requesting. Curiously, it was the local system that was denied, which leads me to think it's a UAC thing...

    edit: Ohh, this is delightful. See attachment.

    edit edit: Hmm, I should probably dual-window this and answer all your questions one by one 
    Are you running active directory? No, no and no. I get enough of that at work 
    How about other LAN hardware? Eh, pretty basic setup: 2 5-port GbE switches in my bedroom, one 8-port GbE in the hall wiring closet, one 5-port GbE in the living room, then it gets complicated with 2 separate subnets to isolate my wireless DHCP from the site-wide "courtesy internet" provided by the complex... wired LAN is all static-IPv4 on the same Phy as all other computers in the building (manual subnet). Wireless isn't even used by me at home, but that's the primary network of the media center/server. Server (one of the PCs I tried) has one "leg" in each network, with its WLAN adapter being the primary connection (default gateway) and GbE LAN as a LAN-only (no GW) connection. Sadly, if Windows has 2 default GWs, it gets unpredictable, I wish I could give it a GW but keep it from using it. Come to think of it I guess I could manually give it a high metric  But that might be one potential problem, Windows considers the GbE LAN to be "Public" but I have the firewall disabled anyway. No routing between the two networks, just too much trouble to set up.
    RPC service? All systems go, otherwise I wouldn't have clipboard and I'd definitely notice that!
    DCOM Server Process Launcher? Running on laptop, running on server, pretty sure it was running on desktop too.
    WMI? Also running on both, to be not running on the desktop would've also been a red flag 
    Event Viewer? See above.
    DCOMWell on the ZBOX (server), it's working fine. The other PC is off and, well, don't want to boot it now because... my laptop you can see above, has a bit of a DCOM issue. I wonder if that was to blame for the laptop<->2 and 3 issues, and something else would be to blame for the other two (HomeGroup, maybe). I'll look into the DCOM thing...
    • Edited by FalconFour Sunday, March 6, 2011 1:53 PM added link to "see attachment" since we can't upload attachments here, grr.
    Sunday, March 6, 2011 1:51 PM
  • The last few posts in this topic (using Easy Transfer from a good system, export Shared Windows Settings only, import on broken PC), worked to fix the DCOM issue, but I still... yeah, still couldn't access Services on ZBOX. 

    Then, with the help of some virtual machines and fresh installs, I got it nailed. UAC.

    I set up identical Win7 RTM x64 Home Premium virtual machines* and I saw exactly the same behavior there too, on brand new systems. So I knew it wasn't a problem with my system. And, recalling the event log from auditing failures, it seems that my user account was being denied access to the services DB. As it should be with UAC without elevation.

    See, when UAC is enabled, the "admin user account" is not an admin. The system utilizes "UAC virtualization", which basically "RunAs"'s a process with elevated privileges as needed. Since network access uses the local user account, that's why you don't get (and never will get) share access to your Program Files and Windows folders.

    So, on the test virtual machines, I set them both to "Never prompt". Then rebooted. Then tested it. Both ways connected successfully to the Services manager. OK. So I enabled UAC on the first VM and left it off on the other, and rebooted. Now the second VM (UAC disabled) couldn't access the first (UAC enabled) anymore. But the first (enabled) could access the second (disabled). Pretty much nailed that one now.

    Still shocked that nobody has bothered trying this before, as evidenced by the lack of Google results... I guess there will be Google results now (congrats!) ;)

    * - and in the process of getting them to both run at the same time, I also resolved a bug in VMware Player that carried over from a VMware memory management issue in Win7 SP1 - so yay, now my Zbox can run my Virtual WHS without crapping out!
    • Marked as answer by FalconFour Sunday, March 6, 2011 7:36 PM
    Sunday, March 6, 2011 7:35 PM
  • yes I understand the problem. 

    When you creating the mmc snap-in you are already choosing the default console mode as Author, so when you connecting the remote system before saving the file you should go to File > Option > Console mode = User Mode - Full Access then save file.

    Then only you can take control to the remote system. 

    Thursday, August 17, 2017 5:59 PM