WMI Security Issues

There is an "admin template" called MMCSnapins.admx that as a "WMI Control" option that turns off the ability to bring up the WMI control.   I haven't tried it, but it appears to be similar to what you're describing.

Check this registry location to see if it's turned on for you:

HKCU\Software\Policies\Microsoft\MMC\{5C659257-E236-11D2-8899-00104B2AFB46}!Restrict_Run

graye - that would make sense - however on any PC i checked both in the domain and out of the domain and my servers - i cant get that registry key. It stops at Microsoft - i do not have any keys for MMC.

Well, the lack of that registry key just means you don't have that policy enabled (which is a good thing)

Are you in the local adminstrators group on the PCs where that WMI configuration doesn't work?

Have you tried launching the WMI "snap in" by hand (by starting with just a blank MMC, and then adding the WMI snap in)

graye,

Couple more clues:

1.) I am part of the local admins - as well as even logging in as local administrator to the pc does not work.
2.) I am on my XP machine that is off the domain and i am also missing that registry key you mentioned however my WMI works just fine.
3.) I tried a blank MMC then addedd WMI snap in and i still can not connect to WMI because access is denied even logged in as computer administrator.

Heres the log from WMIDiag if this helps:.

1500 16:45:16 (0) ** WMIDiag v2.0 started on Thursday, July 24, 2008 at 16:44.
.1501 16:45:16 (0) **
.1502 16:45:16 (0) ** Copyright (c) Microsoft Corporation. All rights reserved - January 2007.
.1503 16:45:16 (0) **
.1504 16:45:16 (0) ** This script is not supported under any Microsoft standard support program or service.
.1505 16:45:16 (0) ** The script is provided AS IS without warranty of any kind. Microsoft further disclaims all
.1506 16:45:16 (0) ** implied warranties including, without limitation, any implied warranties of merchantability
.1507 16:45:16 (0) ** or of fitness for a particular purpose. The entire risk arising out of the use or performance
.1508 16:45:16 (0) ** of the scripts and documentation remains with you. In no event shall Microsoft, its authors,
.1509 16:45:16 (0) ** or anyone else involved in the creation, production, or delivery of the script be liable for
.1510 16:45:16 (0) ** any damages whatsoever (including, without limitation, damages for loss of business profits,
.1511 16:45:16 (0) ** business interruption, loss of business information, or other pecuniary loss) arising out of
.1512 16:45:16 (0) ** the use of or inability to use the script or documentation, even if Microsoft has been advised
.1513 16:45:16 (0) ** of the possibility of such damages.
.1514 16:45:16 (0) **
.1515 16:45:16 (0) **
.1516 16:45:16 (0) ** ----------------------------------------------------------------------------------------------------------------------------------
.1517 16:45:16 (0) ** ----------------------------------------------------- WMI REPORT: BEGIN ----------------------------------------------------------
.1518 16:45:16 (0) ** ----------------------------------------------------------------------------------------------------------------------------------
.1519 16:45:16 (0) **
.1520 16:45:16 (0) ** ----------------------------------------------------------------------------------------------------------------------------------
.1521 16:45:16 (0) ** Windows XP - Service pack 2 - 32-bit (2600) - User 'PINNACLE\MKAPPEL' on computer 'MA1001'.
.1522 16:45:16 (0) ** ----------------------------------------------------------------------------------------------------------------------------------
.1523 16:45:16 (0) ** Environment: ........................................................................................................ OK..
.1524 16:45:16 (0) ** There are no missing WMI system files: .............................................................................. OK.
.1525 16:45:16 (0) ** There are no missing WMI repository files: .......................................................................... OK.
.1526 16:45:16 (0) ** WMI repository state: ............................................................................................... NOT TESTED.
.1527 16:45:16 (0) ** BEFORE running WMIDiag:
.1528 16:45:16 (0) ** The WMI repository has a size of: ................................................................................... 7 MB.
.1529 16:45:16 (0) ** - Disk free space on 'C:': .......................................................................................... 73507 MB.
.1530 16:45:16 (0) **   - INDEX.BTR,                     1343488 bytes,      6/11/2008 2:21:52 AM
.1531 16:45:16 (0) **   - INDEX.MAP,                     700 bytes,          7/24/2008 4:44:33 PM
.1532 16:45:16 (0) **   - MAPPING.VER,                   4 bytes,            7/24/2008 4:44:34 PM
.1533 16:45:16 (0) **   - MAPPING1.MAP,                  3564 bytes,         7/24/2008 4:44:33 PM
.1534 16:45:16 (0) **   - MAPPING2.MAP,                  3564 bytes,         7/24/2008 4:41:55 PM
.1535 16:45:16 (0) **   - OBJECTS.DATA,                  5840896 bytes,      6/11/2008 2:21:52 AM
.1536 16:45:16 (0) **   - OBJECTS.MAP,                   2876 bytes,         7/24/2008 4:44:33 PM
.1537 16:45:16 (0) ** AFTER running WMIDiag:
.1538 16:45:16 (0) ** The WMI repository has a size of: ................................................................................... 7 MB.
.1539 16:45:16 (0) ** - Disk free space on 'C:': .......................................................................................... 73507 MB.
.1540 16:45:16 (0) **   - INDEX.BTR,                     1343488 bytes,      6/11/2008 2:21:52 AM
.1541 16:45:16 (0) **   - INDEX.MAP,                     700 bytes,          7/24/2008 4:44:33 PM
.1542 16:45:16 (0) **   - MAPPING.VER,                   4 bytes,            7/24/2008 4:44:34 PM
.1543 16:45:16 (0) **   - MAPPING1.MAP,                  3564 bytes,         7/24/2008 4:44:33 PM
.1544 16:45:16 (0) **   - MAPPING2.MAP,                  3564 bytes,         7/24/2008 4:41:55 PM
.1545 16:45:16 (0) **   - OBJECTS.DATA,                  5840896 bytes,      6/11/2008 2:21:52 AM
.1546 16:45:16 (0) **   - OBJECTS.MAP,                   2876 bytes,         7/24/2008 4:44:33 PM
.1547 16:45:16 (0) ** ----------------------------------------------------------------------------------------------------------------------------------
.1548 16:45:16 (2) !! WARNING: Windows Firewall Service: .................................................................................. STOPPED.
.1549 16:45:16 (0) ** ----------------------------------------------------------------------------------------------------------------------------------
.1550 16:45:16 (0) ** DCOM Status: ........................................................................................................ OK.
.1551 16:45:16 (0) ** WMI registry setup: ................................................................................................. OK.
.1552 16:45:16 (0) ** INFO: WMI service has dependents: ................................................................................... 2 SERVICE(S)!
.1553 16:45:16 (0) ** - Security Center (WSCSVC, StartMode='Automatic')
.1554 16:45:16 (0) ** - Windows Firewall/Internet Connection Sharing (ICS) (SHAREDACCESS, StartMode='Disabled')
.1555 16:45:16 (0) ** => If the WMI service is stopped, the listed service(s) will have to be stopped as well.
.1556 16:45:16 (0) **    Note: If the service is marked with (*), it means that the service/application uses WMI but
.1557 16:45:16 (0) **          there is no hard dependency on WMI. However, if the WMI service is stopped,
.1558 16:45:16 (0) **          this can prevent the service/application to work as expected.
.1559 16:45:16 (0) **
.1560 16:45:16 (0) ** RPCSS service: ...................................................................................................... OK (Already started).
.1561 16:45:16 (0) ** WINMGMT service: .................................................................................................... OK (Already started).
.1562 16:45:16 (0) ** ----------------------------------------------------------------------------------------------------------------------------------
.1563 16:45:16 (0) ** WMI service DCOM setup: ............................................................................................. OK.
.1564 16:45:16 (0) ** WMI components DCOM registrations: .................................................................................. OK.
.1565 16:45:16 (0) ** WMI ProgID registrations: ........................................................................................... OK.
.1566 16:45:16 (0) ** WMI provider DCOM registrations: .................................................................................... OK.
.1567 16:45:16 (0) ** WMI provider CIM registrations: ..................................................................................... OK.
.1568 16:45:16 (0) ** WMI provider CLSIDs: ................................................................................................ OK.
.1569 16:45:16 (0) ** WMI providers EXE/DLL availability: ................................................................................. OK.
.1570 16:45:16 (0) ** ----------------------------------------------------------------------------------------------------------------------------------
.1571 16:45:16 (0) ** Overall DCOM security status: ....................................................................................... OK.
.1572 16:45:16 (0) ** Overall WMI security status: ........................................................................................ OK.
.1573 16:45:16 (0) ** - Started at 'Root' --------------------------------------------------------------------------------------------------------------
.1574 16:45:16 (0) ** WMI permanent SUBSCRIPTION(S): ...................................................................................... NONE.
.1575 16:45:16 (0) ** WMI TIMER instruction(s): ........................................................................................... NONE.
.1576 16:45:16 (1) !! ERROR: WMI ADAP status: ............................................................................................. NOT AVAILABLE.
.1577 16:45:16 (0) **    You can start the WMI AutoDiscovery/AutoPurge (ADAP) process to resynchronize
.1578 16:45:16 (0) **    the performance counters with the WMI performance classes with the following commands:
.1579 16:45:16 (0) **    i.e. 'WINMGMT.EXE /CLEARADAP'
.1580 16:45:16 (0) **    i.e. 'WINMGMT.EXE /RESYNCPERF'
.1581 16:45:16 (0) **    The ADAP process logs informative events in the Windows NT event log.
.1582 16:45:16 (0) **    More information can be found on MSDN at:
.1583 16:45:16 (0) **    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/wmisdk/wmi/wmi_adap_event_log_events.asp
.1584 16:45:16 (1) !! ERROR: WMI MONIKER CONNECTION errors occured for the following namespaces: .......................................... 1 ERROR(S)!
.1585 16:45:16 (0) ** - Root, 0x46 - Permission denied.
.1586 16:45:16 (0) **
.1587 16:45:16 (1) !! ERROR: WMI CONNECTION errors occured for the following namespaces: .................................................. 5 ERROR(S)!
.1588 16:45:16 (0) ** - Root, 0x80070005 - Access is denied..
.1589 16:45:16 (0) ** - Root, 0x80070005 - Access is denied..
.1590 16:45:16 (0) ** - Root/Default, 0x80070005 - Access is denied..
.1591 16:45:16 (0) ** - Root/CIMv2, 0x80070005 - Access is denied..
.1592 16:45:16 (0) ** - Root/WMI, 0x80070005 - Access is denied..
.1593 16:45:16 (0) **
.1594 16:45:16 (0) ** WMI GET operations: ................................................................................................. OK.
.1595 16:45:16 (0) ** WMI MOF representations: ............................................................................................ OK.
.1596 16:45:16 (0) ** WMI QUALIFIER access operations: .................................................................................... OK.
.1597 16:45:16 (0) ** WMI ENUMERATION operations: ......................................................................................... OK.
.1598 16:45:16 (0) ** WMI EXECQUERY operations: ........................................................................................... OK.
.1599 16:45:16 (0) ** WMI GET VALUE operations: ........................................................................................... OK.
.1600 16:45:16 (0) ** WMI WRITE operations: ............................................................................................... NOT TESTED.
.1601 16:45:16 (0) ** WMI PUT operations: ................................................................................................. NOT TESTED.
.1602 16:45:16 (0) ** WMI DELETE operations: .............................................................................................. NOT TESTED.
.1603 16:45:16 (0) ** WMI static instances retrieved: ..................................................................................... 0.
.1604 16:45:16 (0) ** WMI dynamic instances retrieved: .................................................................................... 0.
.1605 16:45:16 (0) ** WMI instance request cancellations (to limit performance impact): ................................................... 0.
.1606 16:45:16 (0) ** ----------------------------------------------------------------------------------------------------------------------------------
.1607 16:45:16 (0) **
.1608 16:45:16 (0) ** 1 error(s) 0x46 - (WBEM_UNKNOWN) This error code is external to WMI.
.1609 16:45:16 (0) **
.1610 16:45:16 (0) ** 5 error(s) 0x80070005 - (WBEM_UNKNOWN) This error code is external to WMI.
.1611 16:45:16 (0) ** => This error is not a WMI error. It is typically due to:
.1612 16:45:16 (0) **    - The DCOM security modifications.
.1613 16:45:16 (0) **      => Ensure that DCOM security configuration settings are not modified.
.1614 16:45:16 (0) **    - The user running WMIDiag has not enough privileges or rights to issue requests
.1615 16:45:16 (0) **      against software components exposing information through WMI.
.1616 16:45:16 (0) **      => Ensure that no third party applications installing additional WMI providers have
.1617 16:45:16 (0) **         specific security requirements (i.e. group membership, privileges, etc ...)
.1618 16:45:16 (0) **    - The 'Impersonate Client after authentication' Local Policy is disabled or the
.1619 16:45:16 (0) **      'SERVICE' account has been removed from that Local Policy.
.1620 16:45:16 (0) **      => You must add the 'SERVICE' account to the 'Impersonate Client after authentication'
.1621 16:45:16 (0) **         Local Policy in the 'Local Policies/User Right Assignments' MMC snap-in (GPEDIT.MSC).
.1622 16:45:16 (0) **         By default, this Local Policy includes the 'SERVICE' account.
.1623 16:45:16 (0) **
.1624 16:45:16 (0) ** => Errors starting with 0x8007 are Win32 errors, NOT WMI errors. More information can be found
.1625 16:45:16 (0) **    with the 'NET.EXE HELPMSG <dddd>' command, where <dddd> is the last four hex digits (0x0005)
.1626 16:45:16 (0) **    converted in decimal (5).
.1627 16:45:16 (0) **    - NET HELPMSG 5
.1628 16:45:16 (0) **
.1629 16:45:16 (0) ** ----------------------------------------------------------------------------------------------------------------------------------
.1630 16:45:16 (0) ** WMI Registry key setup: ............................................................................................. OK.
.1631 16:45:16 (0) ** ----------------------------------------------------------------------------------------------------------------------------------
.1632 16:45:16 (0) ** ----------------------------------------------------------------------------------------------------------------------------------
.1633 16:45:16 (0) ** ----------------------------------------------------------------------------------------------------------------------------------
.1634 16:45:16 (0) ** ----------------------------------------------------------------------------------------------------------------------------------
.1635 16:45:16 (0) **
.1636 16:45:16 (0) ** ----------------------------------------------------------------------------------------------------------------------------------
.1637 16:45:16 (0) ** ------------------------------------------------------ WMI REPORT: END -----------------------------------------------------------
.1638 16:45:16 (0) ** ----------------------------------------------------------------------------------------------------------------------------------
.1639 16:45:16 (0) **
.1640 16:45:16 (0) ** ERROR: WMIDiag detected issues that could prevent WMI to work properly!.  Check 'C:\DOCUMENTS AND SETTINGS\MKAPPEL\LOCAL SETTINGS\TEMP\WMIDIAG-V2.0_XP___.CLI.SP2.32_MA1001_2008.07.24_16.44.48.LOG' for details.
.1641 16:45:16 (0) **
.1642 16:45:16 (0) ** WMIDiag v2.0 ended on Thursday, July 24, 2008 at 16:45 (W:27 E:13 S:1).

That's good information.... somebody/something has probably messed with your DCOM security settings

http://msdn.microsoft.com/en-us/library/aa910247.aspx

I tried this on my win2k3 sp2 host without success.
I am now rejoining the domain to see if that helps propegate the local security policy (didnt appear to get updated.).

I did notice you appear to have added and "i" to your second string "wmi iD:(A;". I removed the "i" before the D, the descriptor command executed successfully..

I still encountered the same failures in my WMIDiag log. :-(

What I did identify was related to the local security policies. Someone had modified several policies and not included the SYSTEM account where it was allowed by default.

I updated the Domain Controller local policies and performed a GPUpdate /Force /Sync.

This did not work either... I finally ended up taking the host out of the domain modifying the security policies on the local host. Then adding back into the domain.

I am no longer getting the authentication errors from the WMIDIAG tool.
I am getting some performance errors that I think are related to my rebuild of the WMI;
54 errors all relating to the ROOT/SUBSCRIPTION space.

This solved the problem I was having re-installing my iSCSI initiator. However, need to chase down logical disk manager access rights :(