none
Get-WmiObject to remote computer fails with "rpc server is unavailable" and vice versa "Access denied"

    Question

  • Hi

    Still learning PowerShell remoting.
    Can access with remoting 2 computers (XPProf/SP3, Workgroup) perfect. Powershell2.0 (running as Administrator).
    Using Firewall ZoneAlarm not Windows Firewall (stopped).

    But when using Get-WMIObject always run into
    "rpc server is unavailable" in one direction and "Access denied" in the other direction.
    Searched the forum but didnt find infos.
    Switched off Firewalls: Still the same.
    So I'm stuck.

    Any help is appreciated.
    Beat

     

    Friday, December 31, 2010 9:05 AM

Answers

  • I found the following info on http://powershellcommunity.org/Forums/tabid/54/aff/1/aft/5076/afv/topic/Default.aspx and the machines mentioned were also XP. 

    1) Check that DCOM is enabled on both the host and the target PC. Check the following registry value on both computers:
    Key: HKLM\Software\Microsoft\OLE, value: EnableDCOM, should be set to 'Y'

    2) On a Windows XP Pro computer, make sure that remote logons are not being coerced to the GUEST account (aka "ForceGuest", which is enabled by default computers that are not attached to a domain). To do this, open the Local Security Policy editor (e.g. by typing 'secpol.msc' into the Run box, without quotes). Expand the "Local Policies" node and select "Security Options". Now scroll down to the setting titled "Network access: Sharing and security model for local accounts". If this is set to "Guest only", change it to "Classic" and restart your computer.

    3) Make sure that no remote access or WMI-related services have been disabled. On an XP machine, the following services should be running (or at least allowed to start on demand):

    COM+ Event System
    Remote Access Auto Connection Manager
    Remote Access Connection Manager
    Remote Procedure Call (RPC)
    Remote Procedure Call (RPC) Locator
    Remote Registry
    Server
    Windows Management Instrumentation
    Windows Management Instrumentation Driver Extensions
    WMI Performance Adapter
    Workstation

    4) Also check to make sure that your antivirus software isn't running any type of fireall protocol that would be preventing access.

    There is also some good info on troubleshooting winrm and wsman here: http://www.computerperformance.co.uk/powershell/powershell_wsman.htm

    If none of this works then do as Olaf suggests and uninstall zone alarm as I have also seen issues where disabling it wasn't enough.

    Monday, January 3, 2011 3:39 AM

All replies

  • Found something: Reset in GPO Computer Configuration\Administrative Templates\Windows Components\WinRM\Client\Trusted Hosts to "NotConfigured" Instead set in Powershell: Set-Item WSMan:\localhost\Client\TrustedHosts * -force What is the difference? Can call now Invoke-Command {Get-WmiObject win32_bios} -ComputerName XXXX successfully But cant call Get-WmiObject win32_bios} -ComputerName XXXX Results in "access denied"
    Friday, December 31, 2010 9:45 AM
  • This might help, but there's basically 2 kinds of remoting in your case, there's the Invoke-Command remoting which uses the WS-MAN protocol and there's WMI remoting which uses WMI (RPC over TCP).  They are not really the same. 

    When you're doing this: Invoke-Command {Get-WmiObject ...} -ComputerName ... You are actually using WS-MAN to connect to the remote machine then the WMI call is being run locally.

    What exactly are you hoping to accomplish?

    Friday, December 31, 2010 6:56 PM
    Moderator
  • Hi Marco

    Just learning Remoting by reading a book and try to understand.

    The WMI remoting version generates always "access denied".
    Firewalls are not the problem since I switched them temporary off.
    I have no clue how to fix this. I'm looking for hints here.
    And the question:
    The GPO TrustedHosts setting and the Powershell TrustedHosts setting are storing the values not in the same place.
    If I do it in the GPO it does not work. It works only when set in Powershell. So what is the difference?

    Regards
    Beat

    Saturday, January 1, 2011 9:34 AM
  • Sorry, I'd have to research the GPO to know more about it...  But TrustedHosts should be the same.  PowerShell uses WinRM for its built-in remoting.

    We need to concentrate on one problem.  You should determine if you want to use WMI or PowerShell remoting.  They are different...  That's the best I can offer in a free community support forum.

    Sunday, January 2, 2011 4:59 PM
    Moderator
  • The Windows Firewall on the target computer may block this kind of Remote access, and the account which is executing the command should exist also on the remote system and have Administrator permissions.

    Between: Disabling ZoneAlarm may not be enough, I have seen cases, in which it had to be uninstalled to block no longer wanted communications.

    Best greetings from Germany
    Olaf

    Sunday, January 2, 2011 10:33 PM
  • I found the following info on http://powershellcommunity.org/Forums/tabid/54/aff/1/aft/5076/afv/topic/Default.aspx and the machines mentioned were also XP. 

    1) Check that DCOM is enabled on both the host and the target PC. Check the following registry value on both computers:
    Key: HKLM\Software\Microsoft\OLE, value: EnableDCOM, should be set to 'Y'

    2) On a Windows XP Pro computer, make sure that remote logons are not being coerced to the GUEST account (aka "ForceGuest", which is enabled by default computers that are not attached to a domain). To do this, open the Local Security Policy editor (e.g. by typing 'secpol.msc' into the Run box, without quotes). Expand the "Local Policies" node and select "Security Options". Now scroll down to the setting titled "Network access: Sharing and security model for local accounts". If this is set to "Guest only", change it to "Classic" and restart your computer.

    3) Make sure that no remote access or WMI-related services have been disabled. On an XP machine, the following services should be running (or at least allowed to start on demand):

    COM+ Event System
    Remote Access Auto Connection Manager
    Remote Access Connection Manager
    Remote Procedure Call (RPC)
    Remote Procedure Call (RPC) Locator
    Remote Registry
    Server
    Windows Management Instrumentation
    Windows Management Instrumentation Driver Extensions
    WMI Performance Adapter
    Workstation

    4) Also check to make sure that your antivirus software isn't running any type of fireall protocol that would be preventing access.

    There is also some good info on troubleshooting winrm and wsman here: http://www.computerperformance.co.uk/powershell/powershell_wsman.htm

    If none of this works then do as Olaf suggests and uninstall zone alarm as I have also seen issues where disabling it wasn't enough.

    Monday, January 3, 2011 3:39 AM
  • The firewall may block the WMI and DCOM should be activated for the data client access. WMI uses Microsoft's Distributed Component Object Model (DCOM) to connect to and manage systems. You might have to configure some systemsto allow DCOM connections. Firewall settings and locked-down DCOM permissions can block WMI's ability to remotely manage systems.

    To enable WMI remotely, you must have local administrator rights on the remote computer. If you do not, access to that computer will be denied.
    Please take joe's step to enable DCOM and check permissions.

     


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ”
    Wednesday, January 5, 2011 3:27 AM
    Moderator
  • Hi Marco
    Its not the same.
    When I set it with PowerShell command I cant see the settings in GPO

    Wednesday, January 5, 2011 8:32 PM
  • Hi Olaf
    Thanks for the idea. I was thinking this too. But the ZoneAlarm logfile does not show entries.
    Did you see log entries?
    Your recommendation is the ultimate step I will try

    Regards
    Beat

    Wednesday, January 5, 2011 8:35 PM
  • Hi Joe

    This is a lot of information. Thank you.
    I checked all of it but still have the same. So I will dive into your links.
    Feedback later this takes some time.

    Regards
    Beat

    Wednesday, January 5, 2011 8:37 PM
  • Hi guys

    Thanks to your help I finally figured it out.

    The Firewall ZoneAlarm really blocked. I verified this in the log files of ZoneAlarm.
    Shutting down ZoneAlarm and using Windows Firewall (with configured exceptions) let me run into the next problem

    EventViewer ->System "DCOM was unable to communicate with the computer xxxxxxxx using any of the configured protocols"

    Configuring DCOM protocols in

    dcomcnfg  ->Component Services ->Computers ->My Computer ->Properties  ->Tab Default Protocols 
    Added Connection oriented TCP/IP and SPX.
    Now it works.

    Thanks a lot

    Tuesday, January 11, 2011 8:45 PM
  • Yo encontré estas recomendaciones que me sirvieron para poder consultar el servidor remoto.

    http://www.poweradmin.com/help/enablewmi.aspx

     Allow WMI through Windows firewall

    All users (including non-administrators) are able to query/read WMI data on the local computer.

    For reading WMI data on a remote server, a connection needs to be made from your management computer (where our monitoring software is installed) to the server that you're monitoring (the target server). If the target server is running Windows Firewall (aka Internet Connection Firewall) like what is shipped with Windows XP and Windows 2003, then you need to tell it to let remote WMI requests through<sup style="margin:0px;padding:0px;list-style:none;">2</sup>. This can only be done at the command prompt. Run the following on the target computer if it is running a Windows firewall:

          netsh firewall set service RemoteAdmin enable

    Como segunda opcion tambien se puede modificar el group policy y especificar que ips tendran acceso a consultar el WMI remotamente.

    https://technet.microsoft.com/en-us/library/cc738900(v=ws.10).aspx

    Using Group Policy

    To enable or disable the Remote administration exception
    1. Open the Group Policy Object Editor snap-in to edit the Group Policy object (GPO) that is used to manage Windows Firewall settings in your organization.

    2. Open Computer Configuration, open Administrative Templates, open Network, open Network Connections, open Windows Firewall, and then open either Domain Profile or Standard Profile, depending on which profile you want to configure.

    3. In the details pane, double-click Windows Firewall: Allow remote administration exception.

    4. In the Windows Firewall: Allow remote administration exception properties dialog box, on the Settings tab, click Enabled or Disabled.

    Saludos



    • Edited by Jvr ALex Monday, February 16, 2015 10:31 PM
    Monday, February 16, 2015 10:29 PM
  • Oddly enough, every time I tried to run my remote PS script against one of my servers, I was getting a 1097 Usernv error in the App EV. Correcting time settings fixed this issue for me. This was on a 2003 box, fwiw
    Monday, April 11, 2016 3:26 PM