none
SELECT * FROM WMIMonitorID cause Access Denied RRS feed

  • General discussion

  • Hi

    I have some VBscript that queries the WMIMonitoID of the root\WMI namespace.

    It works when I log in with local admin.

    It fails otherwise.

    I have run Wmimgmt.msc and made sure that Authenticated users have the required rights, they do.

    Other scripts using \root\cimv2, such as querying  Win32_DesktopMonitor work fine.

    Other classes in root\WMI also work (I've been using the WMI Code Creator to test) such as MSNdis_EthernetCurrentAddress work and return values, but most of the classes return Access Denied.

    I have tried adding my user to various local groups, only Admin works.  My code is below.

    Any ideas?  We have quite a locked down environment mostly GPO controlled.

    Option Explicit

    Dim strComputer, objWMIService, colItems, objItem

    strComputer = "localhost"

    Set objWMIService = GetObject("winmgmts:" _
      & "{impersonationLevel=impersonate,authenticationLevel=Pkt}!\\" _
      & strComputer & "\root\wmi")

    Set colItems = objWMIService.ExecQuery _
      ("SELECT * FROM WMIMonitorID")

    For Each objItem In colItems
      Wscript.Echo objItem.InstanceName
    Next

    Tuesday, September 22, 2015 1:49 PM

All replies

  • So what's your question?

    Run your script as administrator.


    -- Bill Stewart [Bill_Stewart]

    Tuesday, September 22, 2015 2:17 PM
    Moderator
  • Basically , what else could be restricting normal users accessing the root\WMI namespace?

    Tuesday, September 22, 2015 2:27 PM
  • Oh, and running scrip as admin isn't an option as I need this as a script to detect screen numbers and sizes, prior to opening an application that isn't responsive and relies on a shed load of ini files.
    Tuesday, September 22, 2015 2:33 PM
  • Oh, and running scrip as admin isn't an option

    Unfortunately we can't always have it the way we want.


    -- Bill Stewart [Bill_Stewart]

    Tuesday, September 22, 2015 2:33 PM
    Moderator
  • Search for the instructions on how to allow users access to DCOM.  WMI is only half of the issue.

    Be careful how you implement this.


    \_(ツ)_/

    Tuesday, September 22, 2015 3:19 PM
  • Search for the instructions on how to allow users access to DCOM.  WMI is only half of the issue.

    Be careful how you implement this.


    \_(ツ)_/

    Been there, done that :-(  Added users into relevant groups (but I will double check)

    The thing I am look at now if the security setting "impersonate a client after authentication"

    What I don't understand is why our normal users can query some parts of the wmi namespace, but not others?

    Edit - yep, checked, Everyone has Local Launch/Local Activation rights to COM security.  Plus my normal user account is in "Distributed COM users".

    Edit 2 - I even REMOVED the "launch and Activation" limits for the Administrator group.  My admin account still worked.  When I removed the Everyone limits, my Admin account failed - but failed with a Permission Denied error on the Getobject, not the same error as when my normal account is running the script.  This shows my "Everyone" setting is working, but my normal acocunt is broken somewhere esle.

    • Edited by ACM67 Wednesday, September 23, 2015 2:41 PM
    Wednesday, September 23, 2015 8:56 AM