locked
Cannot Connect to Domain Joined Server using WMI with Domain Admin Account RRS feed

  • Question

  • Hey All:

    I am working on a network and systems monitoring solution (Nagios but the problem I am having is coming from Windows - not just specifically from Nagios) to monitor roughly 100 Windows Server VM's and rather than having to push an agent to every one of them, I want to be able to just have it connect to everything nicely over WMI. 

    In the monitoring system I try to connect to some test machines with a Domain Admin Account (confirmed that Domain Admins are in fact part of the Administrators group on the machine I am connecting to) but I get 

      [wmi/wmic.c:196:main()] ERROR: Login to remote object.

      NTSTATUS: NT_STATUS_ACCESS_DENIED - Access denied

    If I put in the credentials for the actual Administrator local account on the machine, it lets me connect and configure WMI for that machine, but using the local Administrator account for 100 virtual servers is not really an option so I need to be able to use a domain account that I can restrict properly and deploy connection settings for via GPO. I have followed about 6 different articles that say roughly the same as this:

    https://www.infrasightlabs.com/setting-wmi-access-ad-gpo

    If I follow these instructions and add a local user with the rights described above in the article, I try to connect and get a different error:

      [wmi/wmic.c:212:main()] ERROR: Retrieve result data.

      NTSTATUS: NT code 0x80041003 - NT code 0x80041003

    The only other thing I have seen suggested is to disable UAC on the desired machines, but due to compliance and security at my organization that is a non-option. I would really like to see what I can do to get WMI working, not just for server monitoring but we also have an upcoming project to implement a system that will also do some monitoring of user endpoints over WMI as well so I really need to know how to get this working. Any suggestions are greatly appreciated! Thank you!

    Friday, June 16, 2017 12:00 PM

Answers

  • I just figured this out and I am not particularly sure if this is because of the way Nagios is passing my UPN or if this is something with the way Windows handles remote authentication requests for WMI, but after trying my UPN, my SAM Account Name, and DOMAIN\USERNAME format I ended up checking through the security logs and saw some login failure events which I drilled down into.

    Our domain uses a different UPN domain than our actual machines are joined to. For example, my UPN is user@xyz.com where as machines get joined to domain.xyz.org. For whatever reason, WMI was trying to authenticate my Domain Admin account to the xyz.com domain rather than authenticating my UPN against domain.xyz.org and it was failing because it didn't see that username in a nonexistent domain as far as it was concerned. So I had to change the service account from DOMAINADMIN@xyz.com to DOMAINADMIN@domain.xyz.org and it worked just fine.

    Hopefully this helps someone else out in the future who has a different external domain from their internal domain and comes looking here out of confusion.

    • Marked as answer by Brolide Friday, June 16, 2017 12:27 PM
    Friday, June 16, 2017 12:26 PM

All replies

  • I just figured this out and I am not particularly sure if this is because of the way Nagios is passing my UPN or if this is something with the way Windows handles remote authentication requests for WMI, but after trying my UPN, my SAM Account Name, and DOMAIN\USERNAME format I ended up checking through the security logs and saw some login failure events which I drilled down into.

    Our domain uses a different UPN domain than our actual machines are joined to. For example, my UPN is user@xyz.com where as machines get joined to domain.xyz.org. For whatever reason, WMI was trying to authenticate my Domain Admin account to the xyz.com domain rather than authenticating my UPN against domain.xyz.org and it was failing because it didn't see that username in a nonexistent domain as far as it was concerned. So I had to change the service account from DOMAINADMIN@xyz.com to DOMAINADMIN@domain.xyz.org and it worked just fine.

    Hopefully this helps someone else out in the future who has a different external domain from their internal domain and comes looking here out of confusion.

    • Marked as answer by Brolide Friday, June 16, 2017 12:27 PM
    Friday, June 16, 2017 12:26 PM
  • Hi,

    Thanks for your posting here and sharing the resolution in the forum as it would be helpful to anyone who encounters similar issues.

    If there is anything else we can do for you, please feel free to post in the forum.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, June 19, 2017 1:23 AM