WMI - Access Denied when connecting from 2008R2, but fine from Win7 clients?
Hi there
We have an odd issue affecting our Windows 7 SP1 machines. We cannot connect to WMI from our 2008R2 server, but it works OK if we connect from other Windows 7 clients. I have checked:
Permissions in DCOMPort 135 is open and can connect via telnet from the 2008R2 serverDistributed Transaction Coordinator service is startedUser is a domain user, in the local admins group on the clientfirewall is disabledUAC is disabledanti virus is not presentRan wmidiag.vbs and reported a few errors, mainly to do with inaccessible namespaces that appear to be related to security. Nothing jumped out.
I can connect to WMI locally from all machines, its just remotely between 2008 and 7 that there seems to be issues. I cannot connect from Windows 7 to 2008, nor the other way, I get "win32:Access is denied" when viewing WMI Control in Computer Management.
What else should I be checking?
Thanks
August 31st, 2012 8:36am
Hi,
Please change the following registry for a test (on the machine that you want to remotely reboot).
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
In the right pane, check value LocalAccountTokenFilterPolicy. If it exists, set its data to 1. If it doesn't exists, create a new DWORD (32-bit) Value and name it LocalAccountTokenFilterPolicy, then change its data to 1.
Meanwhile, I think the following articles may help you
http://msdn.microsoft.com/en-us/library/aa389290(VS.85).aspx
http://msdn.microsoft.com/en-us/library/aa389286.aspx
Niki
TechNet Subscriber Support
If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback
here
Niki Han
TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
September 2nd, 2012 11:28pm
Hi,
Please change the following registry for a test (on the machine that you want to remotely reboot).
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
In the right pane, check value LocalAccountTokenFilterPolicy. If it exists, set its data to 1. If it doesn't exists, create a new DWORD (32-bit) Value and name it LocalAccountTokenFilterPolicy, then change its data to 1.
Meanwhile, I think the following articles may help you
http://msdn.microsoft.com/en-us/library/aa389290(VS.85).aspx
http://msdn.microsoft.com/en-us/library/aa389286.aspx
Niki
TechNet Subscriber Support
If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback
here
Niki Han
TechNet Community Support
September 2nd, 2012 11:32pm
Hi Niki
I thought that key was only used when connecting to machine with a local account where UAC was still enabled? If you re-read my original post, it states I am using a domain account in the local admins group, also UAC has been disabled as a troublehsooting
step.
Nevertheless, this key was added to the target and restarted - it didnt make any difference. I have read both of those articles, they explain that I have everything setup as it should be, but I still cant connect from 2008 - from other win7 clients or a
2003 server, I can connect fine.
Thanks
Free Windows Admin Tool Kit Click here and download it now
September 3rd, 2012 7:55am
Hi Niki
I thought that key was only used when connecting to machine with a local account where UAC was still enabled? If you re-read my original post, it states I am using a domain account in the local admins group, also UAC has been disabled as a troublehsooting
step.
Nevertheless, this key was added to the target and restarted - it didnt make any difference. I have read both of those articles, they explain that I have everything setup as it should be, but I still cant connect from 2008 - from other win7 clients or a
2003 server, I can connect fine.
Thanks
September 3rd, 2012 7:56am
I managed to resolve this - DCOM wasnt enabled on the server, but was on the Windows 7 clients. I didnt realise it needed to be enabled on the source machine, as well as the remote...
Free Windows Admin Tool Kit Click here and download it now
September 4th, 2012 10:54am