Solved

Access denied to remote machines when running RSoP, Group Policy Results Wizard and WMI.

Posted on 2008-06-26
19
6,474 Views
Last Modified: 2012-06-27
Hello..

We have a Windows 2003 Domain Environment and recently found that members of the Domain Administrators Group and the Administrator account can no longer run RSoP, Group Policy Results Wizard and WMI utilities for remote machines despite it working locally.

We can still map \ manage services on remote machines with no issues.

Im suspecting a corrupt Default GPO from what I have already read on the net, but I want to be sure and determine how this should be approached.

Thanks in advance

Ray
0
Comment
Question by:gelf
  • 9
  • 7
  • 2
  • +1
19 Comments
 
LVL 70

Expert Comment

by:Chris Dent
ID: 21890113

Hi Ray,

You've checked the Windows Firewall for the Remote Administration Exception? Without that the Firewall will block access to WMI.

Otherwise, do you have a little more detail on the symptoms at all?

Chris
0
 

Author Comment

by:gelf
ID: 21890338
Hi Chris - thanks for the reply...

Windows firewall is actually disabled on all our clients.

Unfortunately, I dont have much more information with regards to the symptoms. I first discovered the problem whilst trying to run the Group Policy Results Wizard on a remote machine (which I received access denied). From there, I tested Remote access for WMI and RSoP and got the same error. All works fine when performing the same tests locally.

Initially, I thought this may have been related to XP Service Pack 3, but oddly its the same for W2K clients. I have full Domain Access rights and nothing changes when using the Domain Administrator (GOD account).

Many Thanks

Ray
 

0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 21897761

Well that's quite... er... annoying.

What happens if you remotely connect using the local administrator account on the target PC? Same error?

Quickest way to check that is to grab this:

http://www.microsoft.com/downloads/details.aspx?FamilyID=2cc30a64-ea15-4661-8da4-55bbc145c30e&displaylang=en

Then select Target Computer / Remote Computer. It'll prompt for a user name and password.

Chris
0
 

Author Comment

by:gelf
ID: 21897871
Hi Dave - thanks again for the reply..

Unfortunately, its the same error using the local administrator account on the target machines - Access denied.

Tested for both the mmc and WMICodeCreator.exe.

Cheers

Ray
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 21897990

I guess it's possible someone has applied a policy to lock it down.

Can you open up Component Services on an affected system. There are a couple of places we need to check:

Component Services / Computers / My Computer -> Properties
COM Security -> Edit Limits (both versions)

Defaults for that are:

Access Permissions:
    ANONYMOUS LOGON --> Local Access
    Everyone --> Local Access & Remote Access

Security Limits:
    Administrators --> (All)
    Everyone --> Local Launch & Local Activation

And you'll want to check:

Component Services / Computers / My Computer / DCOM Config / Windows Management and Instrumentation -> Properties

Launch and Activation Permissions:
    Everyone --> (All)

Access Permissions: (Use Default)

Configuration Permissions:
    Administrators --> (All)
    CREATOR OWNER --> (All)
    Power Users --> Read & "Special Permissions"
        Query Value, Set Value, Create Subkey, Enumerate Subkeys, Notify, Delete & Read Control
    SYSTEM --> (All)
    Users (Local) --> Read

Chris
0
 
LVL 31

Expert Comment

by:Henrik Johansson
ID: 21898034
The 'RSOP Provider'-service neads to be running on the DCs.
Modify the DC-policy to start the 'RSOP Provider'-service automatic.
0
 

Author Comment

by:gelf
ID: 21898151
Hi Chris - All permissions are as you stated but with the the below addition \ difference:

Component Services / Computers / My Computer -> Properties
COM Security -> Edit Limits (both versions)
Security Limits has an additional user:
     Offer Remote Assitance Helpers --> (ALL)  
______________________________________________

Component Services / Computers / My Computer / DCOM Config / Windows Management and Instrumentation -> Properties
Configuration Permissions:
    CREATOR OWNER --> (NONE)


Many Thanks

Ray
0
 

Author Comment

by:gelf
ID: 21898165
Hi henjoh09,

The service was indeed set to manual on all DC's. But after beeing set to Automatic and restasrted, its made no difference.

This used to work fine and I cant recall these services ever being enabled.

Cheers

Ray
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 21898719

Hey Ray,

I should just check. The error code it's giving you is 0x80070005?

Chris
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 

Author Comment

by:gelf
ID: 21898790
Hi Chris

I dont get anything within the event viewer and receive the following within the DOS prompt after executing:

C:\Documents and Settings\Application Datt.vbs(11, 1) SWbemLocator: Access is denied.

Hope this helps?

Ray
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 21898900

Nothing in the Security Log for the attempt?

What about Antivirus Software? Those tend to block such a lot these days I guess it's possible it's gone for this one as well.

Chris
0
 

Author Comment

by:gelf
ID: 21898929
Nothing is in the Security logs.. :-(

Its possible its the AV - I will create a new machine and test again prior to AV being installed.

WIll let you know how it goes.

Cheers

Ray
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 21898941

Cool, thanks.

Chris
0
 

Author Comment

by:gelf
ID: 21902782
Hi Chris,

No difference without AV im afraid - certainly got me stumped. I suspect it may be a corrupt Default Domain Controllers GPO, what you think?

Thanks

Ray
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 21902967

Possible I guess, but potentially bit painful.

It's dead easy to replace it using dcgpofix, might have a nasty side-effect if you have anything installed that might have modified it (like Exchange, for example).

I take it all DCs are in the Domain Controllers OU? Or have the policy applied to them? Basic I know, but always best to check in my experience :)

I'll have another think, must be something around to allow it to be set.

Chris
0
 

Expert Comment

by:drwtsn32
ID: 21952482
I have a similar problem and in the midst of resolving this- this thing it's not critical that I resolve it rightwaway - I have found a few possible reasons relating to DCOM Security (As mentioned by Chris)or WMI issues.

SO if WMI (which is what RSOP and GPMC depend on) is really messed up possibly for you when you launch wmimgmt.msc
1.Run wmimgmt.msc, right click wmi control (local) and then click properties
2.If the WMI service is configured correctly, the WMI Control will connect to WMI and display the Properties dialog box. On the General tab, you should see information about the operating system and the version of WMI.

you probably see "WIN32: Access Denied"

How I solved this was checking DCOM security as explained by Chris.


You could check that DCOM security is the issue by enabling  via the MS KB ->http://support.microsoft.com/kb/892500

1. Run regedit
2. Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole registry subkey.
3. Right-click the Ole value, point to New, and then click DWORD Value.
4. Type ActivationFailureLoggingLevel, and then press ENTER. Double-click ActivationFailureLoggingLevel, type 1 in the Value data box, and then click OK.
5. Right-click the Ole value, point to New, and then click DWORD Value.
6. Type CallFailureLoggingLevel, and then press ENTER. Double-click CallFailureLoggingLevel, type 1 in the Value data box, and then click OK.

Try to run gmpc against the remote system - now check the system log to see if there are DCOM errors eventid 10014.

If there are errors check your DC's DCOM security settings and also the remote machines DCOM. Lastly if there are any local policies /GPO's which are changing the DCOM security settings (if for example any portion of the dcom security is greyed out.

Ensure that the remote machines Dcom security is at default . i.e. default limits for both Access Permissions and Launch Permission , the everyone -group - same as the settings which were applied to the the DCs - again as per Chris comments - Also check out this other MS KB.

http://support.microsoft.com/kb/914047

If it's WMI related and not dcom might want to try the below steps

http://support.microsoft.com/kb/932460

The last part of the KB mentions using WMIDiag.vbs tool to diagnose for errors. You can download it from MSFT. Hopefully it's because of decom.

FYI- I solved my issue by removing the GPO settings on my local policy. I found out there was a GPO setting which was applying DCOM Security

In my Local Computer Group Policy console, expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then click Security Options.
 
In the list of available policies, double-click DCOM: Machine launch restrictions in Security Descriptor Definition Language (SDDL) syntax. In there I had got the everyone group removed - which had to be there. I simply removed all the settings from there are left it as Not Defined and that fixed the problem.

I'm still troubleshooting certain systems where I can't run GPMC against - so the problems not totally gone away. I could run a GPO against my entire OU or domain to lock down the correct settings as a solution I guess.

Hope this helps. Cheers.
0
 

Author Comment

by:gelf
ID: 22002011
Hi - thanks for all your comments :)

I have found what is causing the issue... The Enable Distributed COM on this computer within Component Services (dcomcnfg) > Default Properties is not selected. Enabling this on those remote machines resolves the problem.

As this is enabled by default, I have absolutely no idea why this has gone to a disable state on my clients or what I have to do to revoke it back to the default "Enabled" - any ideas, is there a GPO that controls this?

Please see attached.

Thanks  again everyone..

Ray
Component-Services-Enable-COM.JPG
0
 
LVL 31

Accepted Solution

by:
Henrik Johansson earned 500 total points
ID: 22002324
The administrative template for DCOM is located under "Computer Configuration\Administrative Templates\System\Distributed COM", but by some reason not that checkbox.
Looks like you nead to create your own ADM based on the registry value described in http://support.microsoft.com/kb/825750, but set it to Y instead of N.
Export the registry value to a REG-file and use RegToAdm (http://yizhar.mvps.org/) to convert it to ADM.
0
 

Author Comment

by:gelf
ID: 22050404
The problem was the Enable Distributed COM on this computer within Component Services (dcomcnfg) > Default Properties not being Enabled.

The solution was a custom .ADM template within Group Policy for all clients as described within the MS article http://support.microsoft.com/kb/825750

Many Thanks for everyones input
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
Learn about cloud computing and its benefits for small business owners.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now