WMI - Access Denied when connecting from 2008R2, but fine from Win7 clients?
Hi there We have an odd issue affecting our Windows 7 SP1 machines. We cannot connect to WMI from our 2008R2 server, but it works OK if we connect from other Windows 7 clients. I have checked: Permissions in DCOMPort 135 is open and can connect via telnet from the 2008R2 serverDistributed Transaction Coordinator service is startedUser is a domain user, in the local admins group on the clientfirewall is disabledUAC is disabledanti virus is not presentRan wmidiag.vbs and reported a few errors, mainly to do with inaccessible namespaces that appear to be related to security. Nothing jumped out. I can connect to WMI locally from all machines, its just remotely between 2008 and 7 that there seems to be issues. I cannot connect from Windows 7 to 2008, nor the other way, I get "win32:Access is denied" when viewing WMI Control in Computer Management. What else should I be checking? Thanks
August 31st, 2012 8:36am

Hi, Please change the following registry for a test (on the machine that you want to remotely reboot). HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System In the right pane, check value LocalAccountTokenFilterPolicy. If it exists, set its data to 1. If it doesn't exists, create a new DWORD (32-bit) Value and name it LocalAccountTokenFilterPolicy, then change its data to 1. Meanwhile, I think the following articles may help you http://msdn.microsoft.com/en-us/library/aa389290(VS.85).aspx http://msdn.microsoft.com/en-us/library/aa389286.aspx Niki TechNet Subscriber Support If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here Niki Han TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
September 2nd, 2012 11:28pm

Hi, Please change the following registry for a test (on the machine that you want to remotely reboot). HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System In the right pane, check value LocalAccountTokenFilterPolicy. If it exists, set its data to 1. If it doesn't exists, create a new DWORD (32-bit) Value and name it LocalAccountTokenFilterPolicy, then change its data to 1. Meanwhile, I think the following articles may help you http://msdn.microsoft.com/en-us/library/aa389290(VS.85).aspx http://msdn.microsoft.com/en-us/library/aa389286.aspx Niki TechNet Subscriber Support If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here Niki Han TechNet Community Support
September 2nd, 2012 11:32pm

Hi Niki I thought that key was only used when connecting to machine with a local account where UAC was still enabled? If you re-read my original post, it states I am using a domain account in the local admins group, also UAC has been disabled as a troublehsooting step. Nevertheless, this key was added to the target and restarted - it didnt make any difference. I have read both of those articles, they explain that I have everything setup as it should be, but I still cant connect from 2008 - from other win7 clients or a 2003 server, I can connect fine. Thanks
Free Windows Admin Tool Kit Click here and download it now
September 3rd, 2012 7:55am

Hi Niki I thought that key was only used when connecting to machine with a local account where UAC was still enabled? If you re-read my original post, it states I am using a domain account in the local admins group, also UAC has been disabled as a troublehsooting step. Nevertheless, this key was added to the target and restarted - it didnt make any difference. I have read both of those articles, they explain that I have everything setup as it should be, but I still cant connect from 2008 - from other win7 clients or a 2003 server, I can connect fine. Thanks
September 3rd, 2012 7:56am

I managed to resolve this - DCOM wasnt enabled on the server, but was on the Windows 7 clients. I didnt realise it needed to be enabled on the source machine, as well as the remote...
Free Windows Admin Tool Kit Click here and download it now
September 4th, 2012 10:54am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics