Remote WMI Connection Issue on Windows Server 2008 R2

windows-server-2008-r2 wmi user-permissions dcom
23,814

You may also need to set the ACL's for the object you are trying to query. See http://msdn.microsoft.com/en-us/library/aa374872%28v=vs.85%29.aspx

I've had to do this in the past for access to MS services, event logs, etc.

EDIT:

In a nutshell, you may need to set ACL's for the WMI objects you are trying to access, using an administrative account, before you can access them via an unprivileged account.

This is how I set it up in our environment:

Configure DCOM

  • On the server to be managed click Start, click Run, type DCOMCNFG, and then click OK.
  • In the Component Services dialog box, expand Component Services, expand Computers, and then right-click My Computer and click Properties.
  • In the My Computer Properties dialog box, click the COM Security tab.
  • Under Launch and Activation Permissions, click Edit Limits.
  • In the Launch Permission dialog box, select 'Distributed COM Users'. In the Allow column under Permissions for User, select Remote Launch and select Remote Activation, and then click OK.
  • Under Access Permissions, click Edit Limits.
  • In the Access Permission dialog box, select 'Distributed COM Users'. In the Allow column under Permissions for User, select Remote Access, and then click OK.
  • Add the user account to the Distributed COM Users Group in Computer Management, Local Users and Groups on the Server to be managed.
  • Add the user account to the Performance Log Users Group in Computer Management, Local Users and Groups on the Server to be managed.

Configure WMI

  • On the server to be managed click Start, click Run, type wmimgmt.msc, and then click OK.
  • In the console tree, right-click WMI Control, and then click Properties.
  • Click the Security tab.
  • Select the Root namespace and then click Security.
  • In the Security dialog box, click Add.
  • In the Select Users, Computers, or Groups dialog box, enter the user account. Click the Check Names button to verify your entry and then click OK.
  • In the Security dialog box, under Permissions, select 'Enable Account' and 'Remote Enable' for the user account.
  • Ensure the permissions propagate to all subnamespaces.

Much of the above can be done (automated) using group policies.

Now to set the ACL's for services you can do something like:

sc sdshow SCMANAGER

... to get the the ACL for the service manager. This will take care of access to most windows services. You'll then want to add an ACL for the user account from above which will look something like the following:

sc sdset SCMANAGER D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;CCLCRPRC;;;S-1-5-21-000000000-0000000000-0000000000-0000)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)

... where the bold part is the UID of the user account making the request.

Event logs work a bit differently but you can use 'wevtutil' to set ACL's on them. Other objects may have different ways to set them as well.

Troubleshoot incrementally, first get queries working locally with your user account, then get them working remotely.

Share:
23,814

Related videos on Youtube

Elitecoder
Author by

Elitecoder

A Master's Student at University of Florida. Apart from Course Work, I am a T-Kernel Enthusiast and a Ruby Fan.

Updated on September 18, 2022

Comments

  • Elitecoder
    Elitecoder almost 2 years

    I just did a clean install of Windows Server 2008 R2 (x64). I have an application that talks to the server using Remote DCOM communication and queries some WMI objects. All is good while I use the Administrator login to do the WMI comm.

    It just doesn't seem to work when I add a new user in Administrator Group (by selecting the user to be Admin in the new user creation GUI). I have provided the DCOM remote access permissions to the user (using http://jintegra.intrinsyc.com/support/com/doc/remoteaccess.html), and WMI access permissions as well (using http://www.poweradmin.com/help/enableWMI.aspx). I have also found the renegade registry key on Server 2008 R2 and made the newly created user the owner and granted all rights (using http://www.opennms.org/wiki/WmiConfiguration#Windows_2008_R2).

    Even then, when I try to connect, I cannot go through all the way. I know this because I looked at the windows security logs and I could see a successful Credential Validation, Special Logon and Logon events.

    But, I am just unable to proceed further. I get the error, could not connect to the host and then I get logged off (found from the security logs).

    I don't even know which service is not allowing me access. Has someone dealt with this issue before? If you have a quick answer, that would be great, otherwise, please tell me how to read the security logs or some other log properly to find out which service is denying me access.

    Also, all 3 firewalls, Domain/Public/Private are turned off.

    Thanks very much!!

    • tony roth
      tony roth almost 13 years
      so is the user that the application is going to runas an admin on the remote server? If so then none of what BCV says is necessary, you have another issue.
  • Elitecoder
    Elitecoder almost 13 years
    From what I understand from the link, ACLs are created programmatically. So do you suggest logging in as Admin, setting up an ACL and then logging again as any other user? Is that what you had to do for MS Services, etc.?
  • Elitecoder
    Elitecoder almost 13 years
    Thanks for the detailed answer BCV. Yes, I did have to modify the ACL. This link helped a lot - unlockpowershell.wordpress.com/2009/11/20/…

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Can I find the path to a DCOM application executable with WMI or Powershell?
Remote WMI with Windows XP SP3
WMIC - "os - Alias not found"
Firewall Blocking PSWindowsUpdate
Can't run batch files from server, Users do not have permission to access file
Delete Shadow Copies Remotely
Permissions for Scheduled Tasks on a Domain Controller
Event ID 10009 DCOM
How do I identify a volume in WMI from a volume name reported in the event log?
How to monitor DFSR backlog more efficiently than dfsrdiag