Discussion Forums/AA Console/Questions

Answered

WMI Access Denied

Adam Ruth
asked this on November 13, 2009 14:22

every time that I try to use the Admin Arsenal program for running commands or anything but the basics I get the WMI Access Denied error. I am a domain admin but It has been suggested to me that the program may not be running as my username.
 

Comments

User photo
Adam Ruth
Admin Arsenal

WMI uses DCOM security which has its own settings independent of access for such things as file and registry. By default administrators have the necessary DCOM rights, but it sounds like the rights on your computers have been changed. The rights can be set using the Windows dcomcnfg tool, however this can only set rights locally so you would need to remote control the computer. Alternatively Admin Arsenal includes a command line program called dcomacls.exe which will set the rights remotely. The following command lines would set the needed rights for your account:

dcomacls \\computer\access-limits-remote allow domain\username
dcomacls \\computer\launch-limits-remote-launch allow domain\username
dcomacls \\computer\launch-limits-remote-activation allow domain\username

You could also set a group name instead of a user name.

November 13, 2009 14:22.
User photo
Adam Ruth
Admin Arsenal

I tried the suggestions that you made with the domain\username, domain\group, username, group, administrators contexts and I still get the error. All of these veriations are administrators on the machine either locally or through the domain. I would like to see what the program itself is using for a username. Is there a way to set that? I hope that I am not asking a question that is already documented butI have not seen the solution yet.

November 13, 2009 14:22.
User photo
Adam Ruth
Admin Arsenal

It uses your current credentials, or the credentials you provide if you use "Run As..." to start the application.

You can verify WMI access by running wmic.exe, which is Microsoft's command line WMI access tool. Run something like this:

wmic /node:compuername cpu list brief

against the computers in question. If you get an access denied error it will verify that you have a DCOM problem, otherwise it will help us to look elsewhere.

Also, you'll want to manually verify your DCOM security settings. Run dcomcnfg on one of the affected computers (expand Component Services -> Computers -> My Computer) right click on My Computer and click "Properties." Look through all of the options on the "COM Security" tab and ensure that your account (or a group you are in) has full rights. There may be a "deny" in there which is blocking you or some other setting.

November 13, 2009 14:22.
User photo
Adam Ruth
Admin Arsenal

I'm running into the same WMI access denied errors.  I've tried everything on the posts that you suggested with the same results.  When running wmic /node:compuername cpu list brief

I get code = 0x80070005 Access is denied.

I'm trying this from an XP sp3 system to another XP sp3 system.  I've uninstalled 3rd party firewall.  The windows firewall is off.  I've excuted the commands
dcomacls \\computer\access-limits-remote allow domain\username
dcomacls \\computer\launch-limits-remote-launch allow domain\username
dcomacls \\computer\launch-limits-remote-activation allow domain\username

I've checked dcomcnfg.  I'm logged into the one machine with domain credentials that are part of domain admins.  domain admins is part of the local admin group on the other machine.

I'm at a loss.  Very frustrating.

November 13, 2009 14:22.
User photo
Adam Ruth
Admin Arsenal

Hmm. On how many computers are you seeing this problem? Please run dcomacls -view -viewproperty -computer %computerName% and send us the output. If you prefer to not post it here please send it to Support at adminarsenal.com.

November 13, 2009 14:22.
User photo
Adam Ruth
Admin Arsenal

I'm seeing this on all systems (approx. 100).  I'm running this as an eval to see if it will be a viable solution for our environment.  On one of the systems I get the following running the command you provided.

LL.LA + BUILTIN\Administrators
LL.LL + BUILTIN\Administrators
LL.RA + BUILTIN\Adminstrators
LL.RL + BUILTIN\Administrators
AL.L + Everyone
AL.R + Everyone
LL.LA + Everyone
LL.LL + Everyone
AL.L + NT AUTHORITY\ANONYMOUS LOGON
Enabled:  True
Internet:  False
Authentication:  Connect
Impersonation:  Identify
Reference:  False

The only addition I've had on another system I was testing was my specific domain account listed in addition to the above.

November 13, 2009 14:23.
User photo
Adam Ruth
Admin Arsenal

I'm seeing this on all systems (approx. 100).  I'm running this as an eval to see if it will be a viable solution for our environment.  On one of the systems I get the following running the command you provided.

LL.LA + BUILTIN\Administrators
LL.LL + BUILTIN\Administrators
LL.RA + BUILTIN\Adminstrators
LL.RL + BUILTIN\Administrators
AL.L + Everyone
AL.R + Everyone
LL.LA + Everyone
LL.LL + Everyone
AL.L + NT AUTHORITY\ANONYMOUS LOGON
Enabled:  True
Internet:  False
Authentication:  Connect
Impersonation:  Identify
Reference:  False

The only addition I've had on another system I was testing was my specific domain account listed in addition to the above

November 13, 2009 14:23.
Add a comment