none
WMI Remote "Access Denied"

    Question

  • My ability to remote access WMI has been lost.  This was working fine and I was able to access whatever I needed until the first week of April.  I can no longer remote access WMI on anything in my environment (2003/2008 servers or XP/7 workstations).  Here some specifics:

    1) I am a Domain Admin and verified I'm a local Administrator of every workstation/server I log into.  I can also access WMI on a server or workstation while logged in.

    2a) Thinking something in Group Policy had changed or went awry I joined to brand new images to the domain and moved them to a container that has no policies applied.  This did not help.

    2b) Along the same line of thinking I wanted to verify another web application or system update did not cause this problem so I tested with a fresh install of XP/7 and had no success.

    3) Since this happened I've been researching articles and have looked and verified the WMI and DCOM security settings were correct.  I've tried changing the settings on several machines to see if anything would work with no success.

    4) WBEMTEST works fine. I can connect locally and query anything I want.  It does not work if I try it remotely.  I recieve a "Number: 0x80070005 Access Denied" error.

    5) Scanned for virus' and malware and have turned up nothing.

    6) As a side note, I created a domain controller and a windows 7 VM on a private network.  Without changing a thing I verified remote WMI work just fine.  Comparing ACL's and security settings between the test domain environment and my prodcution showed the same exact settings.

    What else am I missing?  Obviously something changed in my environment and has locked down WMI but I can't find what it is.  Anyone have any other suggestions?


    Thursday, June 7, 2012 8:18 PM

Answers

  • Step 1. DCOM permission

     

    1. Open Dcomcnfg
    2. Expand Component Service -> Computers -> My computer
    3. Go to the properties of My Computer
    4. Select the COM Security Tab
    5. Click on "Edit Limits" under Access Permissions, and ensure "Everyone" user group has "Local Access" and "Remote Access" permission.
    6. Click on the "Edit Limit" for the launch and activation permissions, and ensure "Everyone" user group has "Local Activation" and "Local Launch" permission.
    7. Highlight "DCOM Config" node, and right click "Windows Management and Instruments", and click Properties.
    8. <Please add the steps to check Launch and Activation Permissions, Access Permissions, Configuration Permissions based on the default of Windows Server 2008>

     

    Step 2. Permission for the user to the WMI namespace

     

    1. Open WMImgmt.msc
    2. Go to the Properties of WMI Control
    3. Go to the Security Tab
    4. Select "Root" and open "Security"
    5. Ensure "Authenticated Users" has "Execute Methods", "Provider Right" and "Enable Account" right; ensure Administrators has all permission.

     

    Step 3. Verify WMI Impersonation Rights

     

    1. Click Start, click Run, type gpedit.msc, and then click OK.
    2. Under Local Computer Policy, expand Computer Configuration, and then expand Windows Settings.
    3. Expand Security Settings, expand Local Policies, and then click User Rights Assignment.
    4. Verify that the SERVICE account is specifically granted Impersonate a client after authentication rights. 

    I appreciate your time and effort.

    This posting is provided "AS IS" with no warranties, and confers no rights.
    Monday, June 11, 2012 7:21 PM
  • This article might help in troubleshooting.

    http://technet.microsoft.com/en-us/library/ee692772.aspx

    On XP and above you can use the following command to rebuild the WMI repository:

    rundll32 wbemupgd, UpgradeRepository

    The following commands reinstall WMI in the registry:

    winmgmt /clearadap
    winmgmt /kill
    winmgmt /unregserver
    winmgmt /regserver
    winmgmt /resyncperf

         

    Richard Mueller - MVP Directory Services

    Tuesday, June 12, 2012 4:19 PM

All replies

  • hi,

    try below mentioned with alternative credentials i.e. client local Administrator, and post the results,

    WMIC /node:clientpc /user:clientpc\administrator /password:password computersystem get totalphysicalmemory

    Saturday, June 9, 2012 6:37 PM
  • Hey -

    Thanks for replying back.  Upon trying the command above for a remote PC I get:

    ERROR: Description = Access is denied.

    When trying out the command 'WMIC computersystem get totalphysicalmemory' on the local PC it works fine and returns the total memory.

    Monday, June 11, 2012 12:31 PM
  • can you check windows firewall.

    Monday, June 11, 2012 1:08 PM
  • Yes Windows Firewall has been disabled via Group Policy and I've been assured by my Network Engineer that we have not implemented any port blocking mechanism s in the past couple of months.
    Monday, June 11, 2012 7:08 PM
  • Step 1. DCOM permission

     

    1. Open Dcomcnfg
    2. Expand Component Service -> Computers -> My computer
    3. Go to the properties of My Computer
    4. Select the COM Security Tab
    5. Click on "Edit Limits" under Access Permissions, and ensure "Everyone" user group has "Local Access" and "Remote Access" permission.
    6. Click on the "Edit Limit" for the launch and activation permissions, and ensure "Everyone" user group has "Local Activation" and "Local Launch" permission.
    7. Highlight "DCOM Config" node, and right click "Windows Management and Instruments", and click Properties.
    8. <Please add the steps to check Launch and Activation Permissions, Access Permissions, Configuration Permissions based on the default of Windows Server 2008>

     

    Step 2. Permission for the user to the WMI namespace

     

    1. Open WMImgmt.msc
    2. Go to the Properties of WMI Control
    3. Go to the Security Tab
    4. Select "Root" and open "Security"
    5. Ensure "Authenticated Users" has "Execute Methods", "Provider Right" and "Enable Account" right; ensure Administrators has all permission.

     

    Step 3. Verify WMI Impersonation Rights

     

    1. Click Start, click Run, type gpedit.msc, and then click OK.
    2. Under Local Computer Policy, expand Computer Configuration, and then expand Windows Settings.
    3. Expand Security Settings, expand Local Policies, and then click User Rights Assignment.
    4. Verify that the SERVICE account is specifically granted Impersonate a client after authentication rights. 

    I appreciate your time and effort.

    This posting is provided "AS IS" with no warranties, and confers no rights.
    Monday, June 11, 2012 7:21 PM
  • Thank you for trying.  I've gone through and verified these are the correct settings on serveral of my workstations and still yield the same "Access Denied" results. 
    Tuesday, June 12, 2012 1:06 PM
  • This article might help in troubleshooting.

    http://technet.microsoft.com/en-us/library/ee692772.aspx

    On XP and above you can use the following command to rebuild the WMI repository:

    rundll32 wbemupgd, UpgradeRepository

    The following commands reinstall WMI in the registry:

    winmgmt /clearadap
    winmgmt /kill
    winmgmt /unregserver
    winmgmt /regserver
    winmgmt /resyncperf

         

    Richard Mueller - MVP Directory Services

    Tuesday, June 12, 2012 4:19 PM
  • I know this thread is old, but was top on the search hit list, so I thought I would add to it.

    I had issues with a new 2008 R2 server build giving Access Denied errors. I found an article referencing winrm. I ran winrm quickconfig and it returned an error saying that the time didn't match. Sure enough, the time was about 8 minutes off. I corrected the time and issue was resolved.

    Odd that I didn't receive errors when logging in to the domain with the time issue and that it only affected remote WMI calls.

    Ernie

    • Proposed as answer by NickD_CA Thursday, November 23, 2017 4:27 PM
    Friday, June 13, 2014 6:35 PM
  • Thank you!

    I ran winrm quickconfig and was prompted to configure LocalAccountTokenFilterPolicy to grant admin rights remotely to local users

    • Proposed as answer by 'Avi' Wednesday, December 9, 2015 12:29 PM
    Monday, August 4, 2014 7:19 PM
  • This helped when accessing server 2012 r2 standalone wmi remotely with local user.
    Wednesday, December 9, 2015 12:29 PM
  • This should really be the first thing to check, before the laborious process of checking WMI and Dcom permissions. When I ran winrm quickconfig, it reported that remote access was turned off and turned it on for me. 

    If you are using the Windows firewall, this command will also configure the appropriate rules within the firewall.
    Wednesday, July 20, 2016 3:34 PM
  • After 8 hours trying everything else, this worked!

    Windows 10 Home

    Thank you!!


    • Edited by Frankpc3 Saturday, October 28, 2017 5:54 PM
    Saturday, October 28, 2017 5:54 PM
  • Firewall needs to be set to Private or Domain (not Public) for 'winrm quickconfig' to work...

    PS C:\> Get-NetConnectionProfile | Set-NetConnectionProfile  -NetworkCategory Private


    Nick Dorak

    Thursday, November 23, 2017 4:26 PM
  • what did you do?
    Tuesday, November 28, 2017 8:08 PM
  • I ran the following from command prompt to correct the issue...

    Powershell.exe -Command "& {Get-NetConnectionProfile | Set-NetConnectionProfile  -NetworkCategory Private; winrm quickconfig -force}"

    Also found some computers required firewall exceptions as well...

    powershell -Command "& {Get-NetConnectionProfile | Set-NetConnectionProfile  -NetworkCategory Private; winrm quickconfig -force; Enable-NetFirewallRule -Name 'WMI-WINMGMT-In-TCP'; Enable-NetFirewallRule -Name 'WMI-RPCSS-In-TCP'}"

     


    Nick Dorak

    Wednesday, November 29, 2017 4:12 PM
  • D:\VS2013Express>wmic /node:FQDN.of.my.server.com /user:myUserName@Domain /password:pwd OS get FreePhysicalMemory
    FreePhysicalMemory
    522748436

    If Domain is not set, ignore @Domain part.

    Tuesday, March 13, 2018 11:43 AM
  • Hello Team,


    I have faced the same Access Denied error(0x80070005) while trying to connect from Windows 2016 server(DOMAIN) to Windows 2012 R2 Server(WORKGROUP(the name is assign different for workgroup)) using Wbemtest(WMI). The following permission are assign to user :

    1. User in Local Administrator group

    2. DCOM & WMI permission is assigned, Also UAC is disabled.

    3. In <g class="gr_ gr_873 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling" data-gr-id="873" id="873">gpedit</g>.<g class="gr_ gr_911 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" data-gr-id="911" id="911">msc</g> User Right Assignment has set to Everyone.

    The only thing is to notice the Target server is in DMZ & all the rules are allowed to connect. Please, <g class="gr_ gr_1422 gr-alert gr_gramm Punctuation only-ins replaceWithoutSep" data-gr-id="1422" id="1422">someone</g> help me with this issue.

    Kindly Reply on high Priority. Thanks in Advanced.


    Pritam.

    Sunday, April 14, 2019 9:18 AM
  • some additional point to remember, When we try with Default Administrator account then it connects successfully.

    Pritam

    Sunday, April 14, 2019 9:25 AM