none
WMI Remote "Access Denied"

    Question

  • My ability to remote access WMI has been lost.  This was working fine and I was able to access whatever I needed until the first week of April.  I can no longer remote access WMI on anything in my environment (2003/2008 servers or XP/7 workstations).  Here some specifics:

    1) I am a Domain Admin and verified I'm a local Administrator of every workstation/server I log into.  I can also access WMI on a server or workstation while logged in.

    2a) Thinking something in Group Policy had changed or went awry I joined to brand new images to the domain and moved them to a container that has no policies applied.  This did not help.

    2b) Along the same line of thinking I wanted to verify another web application or system update did not cause this problem so I tested with a fresh install of XP/7 and had no success.

    3) Since this happened I've been researching articles and have looked and verified the WMI and DCOM security settings were correct.  I've tried changing the settings on several machines to see if anything would work with no success.

    4) WBEMTEST works fine. I can connect locally and query anything I want.  It does not work if I try it remotely.  I recieve a "Number: 0x80070005 Access Denied" error.

    5) Scanned for virus' and malware and have turned up nothing.

    6) As a side note, I created a domain controller and a windows 7 VM on a private network.  Without changing a thing I verified remote WMI work just fine.  Comparing ACL's and security settings between the test domain environment and my prodcution showed the same exact settings.

    What else am I missing?  Obviously something changed in my environment and has locked down WMI but I can't find what it is.  Anyone have any other suggestions?


    Thursday, June 07, 2012 8:18 PM

Answers

  • Step 1. DCOM permission

     

    1. Open Dcomcnfg
    2. Expand Component Service -> Computers -> My computer
    3. Go to the properties of My Computer
    4. Select the COM Security Tab
    5. Click on "Edit Limits" under Access Permissions, and ensure "Everyone" user group has "Local Access" and "Remote Access" permission.
    6. Click on the "Edit Limit" for the launch and activation permissions, and ensure "Everyone" user group has "Local Activation" and "Local Launch" permission.
    7. Highlight "DCOM Config" node, and right click "Windows Management and Instruments", and click Properties.
    8. <Please add the steps to check Launch and Activation Permissions, Access Permissions, Configuration Permissions based on the default of Windows Server 2008>

     

    Step 2. Permission for the user to the WMI namespace

     

    1. Open WMImgmt.msc
    2. Go to the Properties of WMI Control
    3. Go to the Security Tab
    4. Select "Root" and open "Security"
    5. Ensure "Authenticated Users" has "Execute Methods", "Provider Right" and "Enable Account" right; ensure Administrators has all permission.

     

    Step 3. Verify WMI Impersonation Rights

     

    1. Click Start, click Run, type gpedit.msc, and then click OK.
    2. Under Local Computer Policy, expand Computer Configuration, and then expand Windows Settings.
    3. Expand Security Settings, expand Local Policies, and then click User Rights Assignment.
    4. Verify that the SERVICE account is specifically granted Impersonate a client after authentication rights. 

    I appreciate your time and effort.

    This posting is provided "AS IS" with no warranties, and confers no rights.
    Monday, June 11, 2012 7:21 PM
  • This article might help in troubleshooting.

    http://technet.microsoft.com/en-us/library/ee692772.aspx

    On XP and above you can use the following command to rebuild the WMI repository:

    rundll32 wbemupgd, UpgradeRepository

    The following commands reinstall WMI in the registry:

    winmgmt /clearadap
    winmgmt /kill
    winmgmt /unregserver
    winmgmt /regserver
    winmgmt /resyncperf

         

    Richard Mueller - MVP Directory Services

    Tuesday, June 12, 2012 4:19 PM

All replies

  • hi,

    try below mentioned with alternative credentials i.e. client local Administrator, and post the results,

    WMIC /node:clientpc /user:clientpc\administrator /password:password computersystem get totalphysicalmemory

    Saturday, June 09, 2012 6:37 PM
  • Hey -

    Thanks for replying back.  Upon trying the command above for a remote PC I get:

    ERROR: Description = Access is denied.

    When trying out the command 'WMIC computersystem get totalphysicalmemory' on the local PC it works fine and returns the total memory.

    Monday, June 11, 2012 12:31 PM
  • can you check windows firewall.

    Monday, June 11, 2012 1:08 PM
  • Yes Windows Firewall has been disabled via Group Policy and I've been assured by my Network Engineer that we have not implemented any port blocking mechanism s in the past couple of months.
    Monday, June 11, 2012 7:08 PM
  • Step 1. DCOM permission

     

    1. Open Dcomcnfg
    2. Expand Component Service -> Computers -> My computer
    3. Go to the properties of My Computer
    4. Select the COM Security Tab
    5. Click on "Edit Limits" under Access Permissions, and ensure "Everyone" user group has "Local Access" and "Remote Access" permission.
    6. Click on the "Edit Limit" for the launch and activation permissions, and ensure "Everyone" user group has "Local Activation" and "Local Launch" permission.
    7. Highlight "DCOM Config" node, and right click "Windows Management and Instruments", and click Properties.
    8. <Please add the steps to check Launch and Activation Permissions, Access Permissions, Configuration Permissions based on the default of Windows Server 2008>

     

    Step 2. Permission for the user to the WMI namespace

     

    1. Open WMImgmt.msc
    2. Go to the Properties of WMI Control
    3. Go to the Security Tab
    4. Select "Root" and open "Security"
    5. Ensure "Authenticated Users" has "Execute Methods", "Provider Right" and "Enable Account" right; ensure Administrators has all permission.

     

    Step 3. Verify WMI Impersonation Rights

     

    1. Click Start, click Run, type gpedit.msc, and then click OK.
    2. Under Local Computer Policy, expand Computer Configuration, and then expand Windows Settings.
    3. Expand Security Settings, expand Local Policies, and then click User Rights Assignment.
    4. Verify that the SERVICE account is specifically granted Impersonate a client after authentication rights. 

    I appreciate your time and effort.

    This posting is provided "AS IS" with no warranties, and confers no rights.
    Monday, June 11, 2012 7:21 PM
  • Thank you for trying.  I've gone through and verified these are the correct settings on serveral of my workstations and still yield the same "Access Denied" results. 
    Tuesday, June 12, 2012 1:06 PM
  • This article might help in troubleshooting.

    http://technet.microsoft.com/en-us/library/ee692772.aspx

    On XP and above you can use the following command to rebuild the WMI repository:

    rundll32 wbemupgd, UpgradeRepository

    The following commands reinstall WMI in the registry:

    winmgmt /clearadap
    winmgmt /kill
    winmgmt /unregserver
    winmgmt /regserver
    winmgmt /resyncperf

         

    Richard Mueller - MVP Directory Services

    Tuesday, June 12, 2012 4:19 PM
  • I know this thread is old, but was top on the search hit list, so I thought I would add to it.

    I had issues with a new 2008 R2 server build giving Access Denied errors. I found an article referencing winrm. I ran winrm quickconfig and it returned an error saying that the time didn't match. Sure enough, the time was about 8 minutes off. I corrected the time and issue was resolved.

    Odd that I didn't receive errors when logging in to the domain with the time issue and that it only affected remote WMI calls.

    Ernie

    Friday, June 13, 2014 6:35 PM
  • Thank you!

    I ran winrm quickconfig and was prompted to configure LocalAccountTokenFilterPolicy to grant admin rights remotely to local users

    • Proposed as answer by 'Avi' Wednesday, December 09, 2015 12:29 PM
    Monday, August 04, 2014 7:19 PM
  • This helped when accessing server 2012 r2 standalone wmi remotely with local user.
    Wednesday, December 09, 2015 12:29 PM
  • This should really be the first thing to check, before the laborious process of checking WMI and Dcom permissions. When I ran winrm quickconfig, it reported that remote access was turned off and turned it on for me. 

    If you are using the Windows firewall, this command will also configure the appropriate rules within the firewall.
    Wednesday, July 20, 2016 3:34 PM