• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 7040
  • Last Modified:

Access denied to remote machines when running RSoP, Group Policy Results Wizard and WMI.

Hello..

We have a Windows 2003 Domain Environment and recently found that members of the Domain Administrators Group and the Administrator account can no longer run RSoP, Group Policy Results Wizard and WMI utilities for remote machines despite it working locally.

We can still map \ manage services on remote machines with no issues.

Im suspecting a corrupt Default GPO from what I have already read on the net, but I want to be sure and determine how this should be approached.

Thanks in advance

Ray
0
gelf
Asked:
gelf
  • 9
  • 7
  • 2
  • +1
1 Solution
 
Chris DentPowerShell DeveloperCommented:

Hi Ray,

You've checked the Windows Firewall for the Remote Administration Exception? Without that the Firewall will block access to WMI.

Otherwise, do you have a little more detail on the symptoms at all?

Chris
0
 
gelfAuthor Commented:
Hi Chris - thanks for the reply...

Windows firewall is actually disabled on all our clients.

Unfortunately, I dont have much more information with regards to the symptoms. I first discovered the problem whilst trying to run the Group Policy Results Wizard on a remote machine (which I received access denied). From there, I tested Remote access for WMI and RSoP and got the same error. All works fine when performing the same tests locally.

Initially, I thought this may have been related to XP Service Pack 3, but oddly its the same for W2K clients. I have full Domain Access rights and nothing changes when using the Domain Administrator (GOD account).

Many Thanks

Ray
 

0
 
Chris DentPowerShell DeveloperCommented:

Well that's quite... er... annoying.

What happens if you remotely connect using the local administrator account on the target PC? Same error?

Quickest way to check that is to grab this:

http://www.microsoft.com/downloads/details.aspx?FamilyID=2cc30a64-ea15-4661-8da4-55bbc145c30e&displaylang=en

Then select Target Computer / Remote Computer. It'll prompt for a user name and password.

Chris
0
Get quick recovery of individual SharePoint items

Free tool – Veeam Explorer for Microsoft SharePoint, enables fast, easy restores of SharePoint sites, documents, libraries and lists — all with no agents to manage and no additional licenses to buy.

 
gelfAuthor Commented:
Hi Dave - thanks again for the reply..

Unfortunately, its the same error using the local administrator account on the target machines - Access denied.

Tested for both the mmc and WMICodeCreator.exe.

Cheers

Ray
0
 
Chris DentPowerShell DeveloperCommented:

I guess it's possible someone has applied a policy to lock it down.

Can you open up Component Services on an affected system. There are a couple of places we need to check:

Component Services / Computers / My Computer -> Properties
COM Security -> Edit Limits (both versions)

Defaults for that are:

Access Permissions:
    ANONYMOUS LOGON --> Local Access
    Everyone --> Local Access & Remote Access

Security Limits:
    Administrators --> (All)
    Everyone --> Local Launch & Local Activation

And you'll want to check:

Component Services / Computers / My Computer / DCOM Config / Windows Management and Instrumentation -> Properties

Launch and Activation Permissions:
    Everyone --> (All)

Access Permissions: (Use Default)

Configuration Permissions:
    Administrators --> (All)
    CREATOR OWNER --> (All)
    Power Users --> Read & "Special Permissions"
        Query Value, Set Value, Create Subkey, Enumerate Subkeys, Notify, Delete & Read Control
    SYSTEM --> (All)
    Users (Local) --> Read

Chris
0
 
Henrik JohanssonSystems engineerCommented:
The 'RSOP Provider'-service neads to be running on the DCs.
Modify the DC-policy to start the 'RSOP Provider'-service automatic.
0
 
gelfAuthor Commented:
Hi Chris - All permissions are as you stated but with the the below addition \ difference:

Component Services / Computers / My Computer -> Properties
COM Security -> Edit Limits (both versions)
Security Limits has an additional user:
     Offer Remote Assitance Helpers --> (ALL)  
______________________________________________

Component Services / Computers / My Computer / DCOM Config / Windows Management and Instrumentation -> Properties
Configuration Permissions:
    CREATOR OWNER --> (NONE)


Many Thanks

Ray
0
 
gelfAuthor Commented:
Hi henjoh09,

The service was indeed set to manual on all DC's. But after beeing set to Automatic and restasrted, its made no difference.

This used to work fine and I cant recall these services ever being enabled.

Cheers

Ray
0
 
Chris DentPowerShell DeveloperCommented:

Hey Ray,

I should just check. The error code it's giving you is 0x80070005?

Chris
0
 
gelfAuthor Commented:
Hi Chris

I dont get anything within the event viewer and receive the following within the DOS prompt after executing:

C:\Documents and Settings\Application Datt.vbs(11, 1) SWbemLocator: Access is denied.

Hope this helps?

Ray
0
 
Chris DentPowerShell DeveloperCommented:

Nothing in the Security Log for the attempt?

What about Antivirus Software? Those tend to block such a lot these days I guess it's possible it's gone for this one as well.

Chris
0
 
gelfAuthor Commented:
Nothing is in the Security logs.. :-(

Its possible its the AV - I will create a new machine and test again prior to AV being installed.

WIll let you know how it goes.

Cheers

Ray
0
 
Chris DentPowerShell DeveloperCommented:

Cool, thanks.

Chris
0
 
gelfAuthor Commented:
Hi Chris,

No difference without AV im afraid - certainly got me stumped. I suspect it may be a corrupt Default Domain Controllers GPO, what you think?

Thanks

Ray
0
 
Chris DentPowerShell DeveloperCommented:

Possible I guess, but potentially bit painful.

It's dead easy to replace it using dcgpofix, might have a nasty side-effect if you have anything installed that might have modified it (like Exchange, for example).

I take it all DCs are in the Domain Controllers OU? Or have the policy applied to them? Basic I know, but always best to check in my experience :)

I'll have another think, must be something around to allow it to be set.

Chris
0
 
drwtsn32Commented:
I have a similar problem and in the midst of resolving this- this thing it's not critical that I resolve it rightwaway - I have found a few possible reasons relating to DCOM Security (As mentioned by Chris)or WMI issues.

SO if WMI (which is what RSOP and GPMC depend on) is really messed up possibly for you when you launch wmimgmt.msc
1.Run wmimgmt.msc, right click wmi control (local) and then click properties
2.If the WMI service is configured correctly, the WMI Control will connect to WMI and display the Properties dialog box. On the General tab, you should see information about the operating system and the version of WMI.

you probably see "WIN32: Access Denied"

How I solved this was checking DCOM security as explained by Chris.


You could check that DCOM security is the issue by enabling  via the MS KB ->http://support.microsoft.com/kb/892500

1. Run regedit
2. Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole registry subkey.
3. Right-click the Ole value, point to New, and then click DWORD Value.
4. Type ActivationFailureLoggingLevel, and then press ENTER. Double-click ActivationFailureLoggingLevel, type 1 in the Value data box, and then click OK.
5. Right-click the Ole value, point to New, and then click DWORD Value.
6. Type CallFailureLoggingLevel, and then press ENTER. Double-click CallFailureLoggingLevel, type 1 in the Value data box, and then click OK.

Try to run gmpc against the remote system - now check the system log to see if there are DCOM errors eventid 10014.

If there are errors check your DC's DCOM security settings and also the remote machines DCOM. Lastly if there are any local policies /GPO's which are changing the DCOM security settings (if for example any portion of the dcom security is greyed out.

Ensure that the remote machines Dcom security is at default . i.e. default limits for both Access Permissions and Launch Permission , the everyone -group - same as the settings which were applied to the the DCs - again as per Chris comments - Also check out this other MS KB.

http://support.microsoft.com/kb/914047

If it's WMI related and not dcom might want to try the below steps

http://support.microsoft.com/kb/932460

The last part of the KB mentions using WMIDiag.vbs tool to diagnose for errors. You can download it from MSFT. Hopefully it's because of decom.

FYI- I solved my issue by removing the GPO settings on my local policy. I found out there was a GPO setting which was applying DCOM Security

In my Local Computer Group Policy console, expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then click Security Options.
 
In the list of available policies, double-click DCOM: Machine launch restrictions in Security Descriptor Definition Language (SDDL) syntax. In there I had got the everyone group removed - which had to be there. I simply removed all the settings from there are left it as Not Defined and that fixed the problem.

I'm still troubleshooting certain systems where I can't run GPMC against - so the problems not totally gone away. I could run a GPO against my entire OU or domain to lock down the correct settings as a solution I guess.

Hope this helps. Cheers.
0
 
gelfAuthor Commented:
Hi - thanks for all your comments :)

I have found what is causing the issue... The Enable Distributed COM on this computer within Component Services (dcomcnfg) > Default Properties is not selected. Enabling this on those remote machines resolves the problem.

As this is enabled by default, I have absolutely no idea why this has gone to a disable state on my clients or what I have to do to revoke it back to the default "Enabled" - any ideas, is there a GPO that controls this?

Please see attached.

Thanks  again everyone..

Ray
Component-Services-Enable-COM.JPG
0
 
Henrik JohanssonSystems engineerCommented:
The administrative template for DCOM is located under "Computer Configuration\Administrative Templates\System\Distributed COM", but by some reason not that checkbox.
Looks like you nead to create your own ADM based on the registry value described in http://support.microsoft.com/kb/825750, but set it to Y instead of N.
Export the registry value to a REG-file and use RegToAdm (http://yizhar.mvps.org/) to convert it to ADM.
0
 
gelfAuthor Commented:
The problem was the Enable Distributed COM on this computer within Component Services (dcomcnfg) > Default Properties not being Enabled.

The solution was a custom .ADM template within Group Policy for all clients as described within the MS article http://support.microsoft.com/kb/825750

Many Thanks for everyones input
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 9
  • 7
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now