GetWMI, Get WMI-Object: Access Denied 0x80070005 both Powershell & VBScript

Posted on 2010-08-27
Medium Priority
Last Modified: 2013-11-08

I need lots of help on this one, as I am stumped.  =(
I've been trying to run 2 scripts that do the same thing, just to make sure it wasn't a script issue (in vbscripts and powershell). The script retrieves IP/DNS info from a remote machine and then prints it out.  The problem is I am running into an ACCESS IS DENIED error in both scripts. I believe its because there are security permission issues with the WMI object. It runs fine locally but not remotely.

Some info:
- I am using a domain admin account
- I am running it off a Windows XP SP3 box, attempting to connect to a Windows 2008 Server
- Windows Firewall is disabled.

Some debugging I have done:
- Both script works LOCALLY, but NOT REMOTELY
- ran script from workstation to server, it fails
- ran script from server to server, and still fails
- ran script from workstation to itself, it works
- WBEMTEST fails as well even with domain & enterprise admin credentials
- DCOM and WINMGMT service is on and running on both test systems
- DCOM security permissions are already set for local & remote access for Domain Admins (I basically set allow all for Everyone/Anonymous for testing)
- WINS security permissions are already set for local & remote access for Domain Admins (I basically set allow all for Everyone/Anonymous for testing)
-  Get_WMIObject -computername SERVERNAME -class "win32_process"   == Fails with same access denied error
-  gwmi win32_process -computername "SERVERNAME" -credential "domain\admin" == Fails with same access denied error
- Admins have full access to  Root/CIMV2 under the WMI control of the remote server.

I've attached both Powershell and VBScript code for reference.

VBS error: (on line 22 of first code snippet)
Number: 0x80070005
Facility: Win32
Description: Access is Denied

Under the Err object it spits out:
Error: 70
Description: Permission Denied
Source: Microsoft VBscript Runtime Error

Powershell error: (see attached BMP for full error)
Get-WMIObject: Access is Denied Exception from HResult: 0x80070005 (E_ACCESSDENIED)

Anyone have any other ideas as to what is causing this access denied issue?
' NAME: NIC_WMI_Config.vbs
' AUTHOR: pber, pber@pberblog.com
' DATE  : 6/6/2007
' COMMENT: <comment>
'On Error Resume Next
set args = WScript.Arguments
If args.Count = 0 Then
	strComputer = InputBox("Please enter a computer name","title", "MYSERVERNAME")
	strComputer = args(0)
end if

WScript.Echo "---START---"

'Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2") <--- ERRORS HERE!!!!----

If Err.Number <> 0 Then
	WScript.Echo "Error: " & Err.Number
	WScript.echo "Desc: " & Err.Description
	WScript.Echo "Source: " & Err.Source
End If

'Set colNicConfigs = objWMIService.ExecQuery ("SELECT * FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled = True and DHCPEnabled=False")
Set colNicConfigs = objWMIService.ExecQuery ("SELECT * FROM Win32_NetworkAdapterConfiguration")

For Each objNicConfig In colNicConfigs

WScript.Echo "---For Loop---"

'	If not objNicConfig.DHCPEnabled then
		WScript.Echo strComputer
		WScript.Echo "MAC:   " & objNicConfig.MACaddress
		strIP = objNicConfig.ipaddress(0)
		WScript.Echo "IP:    " & strIP
		If Not IsNull(objNicConfig.DNSServerSearchOrder) Then
		   For i = 0 To UBound(objNicConfig.DNSServerSearchOrder)
		      WScript.Echo "DNS" & i+1 & ":  " & objNicConfig.DNSServerSearchOrder(i)
		End If
		WScript.Echo "WINS1:  " & objNicConfig.WINSPrimaryServer
		WScript.Echo "WINS2:  " & objNicConfig.WINSSecondaryServer
		Set objAssociator = objNicConfig.Associators_
		For Each oNICAssociator In objAssociator
			strDisplayName = GetInterface(oNICAssociator.Path_.DisplayName)
			wscript.echo strDisplayName
		strSubnet = GetSubnet(strip)
		WScript.Echo "Subnet: " & strsubnet

			strDNS1  = "psexec \\" & strComputer & " netsh interface ip set dns name=""" & strDisplayName & """ source=static addr= register=PRIMARY"
			strDNS2  = "psexec \\" & strComputer & " netsh interface ip add dns name=""" & strDisplayName & """ addr= index=1"

		strDump = "cmd /k psexec \\" & strComputer & " netsh interface ip dump"  'Export current IP Settings

		WScript.Echo strDNS1
		WScript.Echo strDNS2
		WScript.Echo strDump
		'set wshell = CreateObject("WScript.Shell") 
		'wshell.run strDNS1,0,1 '1,1 will wait for script to complete
		'wshell.run strDNS2,0,1 '1,1 will wait for script to complete

		'wshell.run strDump,1,1 '1,1 will wait for script to complete

		'set wshell = nothing 
'	end if

WScript.Echo "---END---"
 Function GetInterface(strPath)
 	Set objWMIService = GetObject(strPath)
 	GetInterface = objWMIService.netConnectionID
 End Function
 Function GetSubnet(strIP)
 	tmp = Split(strip,".")
 	GetSubnet = tmp(2)
 End Function

Open in new window

function Set-DNSWINS { 
$NICs = Get-WmiObject Win32_NetworkAdapterConfiguration -Computer $_ -Filter "IPEnabled=TRUE" 
foreach($NIC in $NICs) {echo $_ $NIC.DNSServerSearchOrder} 
function Get-FileName { 
$computer = Read-Host "Filename of computer names?" 
return $computer 
$f = Get-FileName 
Get-Content $f | foreach {Set-DNSWINS}

Open in new window

Question by:ThinkPaper
  • 11
  • 4
  • 2
  • +1
LVL 10

Accepted Solution

rscottvan earned 2000 total points
ID: 33549706
From this article:

This error occurs when the connected user is not recognized or is restricted in some fashion by the remote server (for example, the user might be locked out). This happens most often when accounts are in different domains. Recent changes to WMI security can also cause this error to occur:

Blank passwords, formerly permitted, are not allowed in Windows XP and Windows Server 2003.

WMI does not allow asynchronous callbacks to a Windows 98 client. A call like SWbemServices.ExecNotificationQueryAsync from a Windows 98 computer to a Windows XP computer will result in an Access Denied error returned to the Windows 98 machine.

The DCOM configuration access setting might have been changed.

If the target computer is running Windows XP, the Forceguest value under the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa might be set to force the Guest account off (value is zero).

It sounds the server is running into a problem authenticating you.  Are you able to successfully logon directly to the W2k8 server?  (This would rule out any domain controller connectivity issues.)

You can also connect to WMI using WBEM Locator, which allows you to set credentials explicitly.  This would give you more info for troubleshooting...

wbemImpersonationLevelImpersonate = 3
wbemAuthenticationLevelPktPrivacy = 6

Set objLocator = CreateObject("WbemScripting.SWbemLocator")
Set objService = objLocator.ConnectServer _
    ("TargetComputer", "root\cimv2", "UserName", "Password")
objService.Security_.ImpersonationLevel = wbemImpersonationLevelImpersonate
objservices.Security_.AuthenticationLevel = wbemAuthenticationLevelPktPrivacy
LVL 16

Author Comment

ID: 33558484
Thanks for the reply.

- Passwords are not blank
- Both server & workstation are on same domain, account is on same domain
- i can log on to both the workstation and server directly

With the WBEM locator, I still continue to get an Access Denied error:
Line: 5
Char: 1
Error: Access is denied
Code: 80070005
Source: SWbemLocator
LVL 16

Author Comment

ID: 33558857
Tried all these but still Access Denied.  I am part of Domain Admin, Enterprise Admin and even directly added myself as Administrator on the server. I also tried a 2003 server instead of 2008 and still no dice. =(

And again, all this code works fine when run LOCALLY on the server (to itself) but does not run remotely.

Set objWMIService = GetObject("winmgmts:\\TargetComputer")
Error: Permission denied: 'GetObject'
Code: 800A0046
Source: Microsoft VBScript runtime error

Set objWMIService = GetObject("winmgmts:\\DomainName\TargetComputer")
Error: Permission denied: 'GetObject'
Code: 800A0046
Source: Microsoft VBScript runtime error

WMIC /NODE:"computer1" /USER:"domainname\username" /PASSWORD:"userpassword" OS GET Caption,CSDVersion,CSName
Code = 0x80070005
Description = Access is denied.
Facility =  Win32

I've also found out that while managing the server remotely via Computer Management console, I cannot access the WMI control (see attached picture). I also changed credentials to domain admin credential and it fails. But of course, logging in the actual server, it comes up fine. So we know for sure it's a remote access issue... the problem is I can't figure out what exactly is blocking this.

Anyone got any leads? Are there any group policies or other registries or anything like that, that could be preventing remote access? Windows firewall is not installed but we do have McAfee (but looking at the logs, it's not blocking anything).

We Need Your Input!

WatchGuard is currently running a beta program for our new macOS Host Sensor for our Threat Detection and Response service. We're looking for more macOS users to help provide insight and feedback to help us make the product even better. Please sign up for our beta program today!

LVL 10

Expert Comment

ID: 33559444
I'm not sure what you mean when you say "Windows firewall is not installed".  It is embedded in Server 2008.

Here's an article that might be of use:
LVL 41

Expert Comment

ID: 33559860
I presume that both the XP box and the Server2008 box are in the same domain, and that you're using a domain account (not a local acount) during these tests?   The problem is that impersonation using a local account will not work on a remote Server 2008 box unless User Account Control (UAC) is disabled...  only domain accounts will work
LVL 16

Author Comment

ID: 33561182
>>I'm not sure what you mean when you say "Windows firewall is not installed".  It is embedded in Server 2008.

I meant that windows firewall is disabled.
And yes, I am using a domain account as stated before. I am using the same account on all my testing/debugging.
LVL 16

Author Comment

ID: 33561265
Sorry if I sounded snarky.. didn't mean to. =)
LVL 10

Expert Comment

ID: 33561561
User Account Control could be affecting your testing.  Try adding the specific account you are using to the Local Administrators Group on the server.  (Rather than depending on the nested grouping through Domain Admins.)

Have a look here:
LVL 16

Author Comment

ID: 33562439
Yup, I tried that too unfortunately. Don't know if it matters, but I even attempted to use credentials of the actual local admin account of the server (i.e. servername\administrator instead of domain\myadmin ) -- that doesn't work either.

Some additional debugging -
- Re-enabled firewall and ran the netsh for DCOM/WMI exceptions and then re-disabled it again; just to make sure.
- Double checked registry for enableDCOM on both workstation and server = 1
- did all the steps listed here: http://www.tlhouse.co.uk/forums/index.php?board=18;action=display;threadid=153

i'm at my wits end... @__@;

Expert Comment

ID: 33577275
Sounds like an encryption requirement. Do you have something simliar to this in the event log:

"...The namespace is marked
with RequiresEncryption but the client connection was  attempted with an
authentication level below Pkt_Privacy. Re try the connection using
Pkt_Privacy authentication level."

Try adding -Authentication PacketPrivacy
Get-WmiObject Win32_NetworkAdapterConfiguration -Computer $_ -Filter "IPEnabled=TRUE" -Authentication PacketPrivacy

Open in new window

LVL 16

Author Comment

ID: 33596682
I've tried it with the Pkt_Privacy as well . Pretty sure it's not a Pkt issue, since I think that provides a different error code than the 0x80070005.
LVL 16

Assisted Solution

ThinkPaper earned 0 total points
ID: 33630133
Ok. I've got it working. However, I'm not sure what specific changes enabled it to work.

What I did was:
1) disabled ALL of our server group policies and then, configured the Local Security Policies and then reconfigured the DCOM permissions to basically allow for ALL/Anonymous/EVERYONE/INTERACTIVE/etc (even though I had done it previously it didnt seem to take)...   as stated in http://www.pcreview.co.uk/forums/thread-2164135.php :

1. Start -> Control Panel -> Administrative Tools -> Local Security Policy
2. Navigate to Security\Local Policies\Security Options
a. Network Access: Let everyone permissions apply to anonymous users - Set to Enabled
c. DCOM: Machine Access Restrictions - Add Anonymous, Everyone, Interactive, Network, System with full rights options set.
d. Network Access: Let everyone permissions apply to anonymous users - Set to Enabled
e. Network Access: Sharing security model for local accounts - Set to Classic

The last item, "Sharing Security Model", in particular appears to be important. If this still does not work then try adjusting the DCOM configuration:

DCOM Configuration
1. Click Start -> Run
2. Enter DCOMCNFG and press OK. This will open the DCOMCNFG window.
3. Browse down the tree to Console Root ' Component Services ' Computers ' My Computer
4. Right click on "My Computer" and select properties
5. Select the "Default Properties" tab
a. Enable Distributed COM on this computer - option is checked.
b. Default Authentication Level - set to Connect
c. Default Impersonation Level - Set to Identify
6. Select the "COM Security" tab
7. Click on Access Permissions ' Edit Default
a. Add "Anonymous", "Everyone", "Interactive", "Network", "System" with Local and Remote access permissions set.
8. Click on Launch and Activation Permissions ' Edit Default
a. Add "Anonymous", "Everyone", "Interactive", "Network", "System" with Local and Remote access permissions set.
9. Click on OK
10. Close the DCOMCNFG window
11. Reboot

This time around, the permissions seemed to stick. But of course this isn't the final solution. I can't just leave things open like this. The problem is now that I need to go back and lock this down. Now it's a matter of making a few changes and rebooting and seeing if it blocks it again.

And the other problem - how can I make changes to the permissions of DCOM to all servers/workstations? Is there a quick way to do this (group policy, register, etc) or do I need to do this manually?

And also -- exactly WHAT are the minimum settings are to enable remote WMI access??!
LVL 16

Author Comment

ID: 33663862
Scratch that. I had thought something in the security settings or group policies did it, but then when I tried to use the script on another box (that did not have the new settings in it), it worked. So I'm back to square one. No idea why all of a sudden it started working for all our servers/workstations on 1 of our networks. Our other one is still having issues though since I can't find the root cause. I asked the network guys and they said they hadn't made any kind of changes that would affect it.
LVL 16

Author Comment

ID: 33728294
I am still unclear as to why it's all of a sudden working on 1 network but not the others.

Does anyone have a list of WHAT configurations need to be set in order to enable remote WMI? I've seen postings where folks just go ahead and enable EVERYTHING and it works -- but I don't want to do that since we've got a requirements to lock our systems down. I'd like to know exactly what the minium requirements are -- in Group Policy, registry, etc??
LVL 16

Author Comment

ID: 33780938
FYI - this is still unresolved as we have the same issues on our other network...

Expert Comment

ID: 33788039
I think that your problem has elevated to the point that it is too difficult to provide a solution via email communication
LVL 10

Assisted Solution

rscottvan earned 2000 total points
ID: 33788671
Have a look at this article, especially the section about Remote WMI.  I think you'll need to explicitly send credentials, because for whatever reason, you're not being authenticated properly all the time.

If that doesn't do it, the other ideas I have are based on your comment that it works on "some networks".  Not knowing your topology, it's difficult to assess, but there may be a network problem.  Two ideas come to mind:
1.  a network firewall between the client and server machines.  If the two systems are in different security zones, the firewall could be preventing some traffic
2.  Domain Controller connectivity - if either system is not able to connect to a DC, the systems won't be able to "trust" each other.

LVL 16

Author Comment

ID: 33995346
Regarding troubleshooting, Orion Solarwinds has a helpful step-by-step guide for troubleshooting WMI access. WMI vbscripts are used in conjunction with it's web apps, but it also applies for general WMI access.


Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

In this post, I will showcase the steps for how to create groups in Office 365. Office 365 groups allow for ease of flexibility and collaboration between staff members.
Transferring FSMO roles is done when an admin wants to split roles between certain Domain Controllers or the Domain Controller holding the Roles has been forcefully demoted using dcpromo / forceremoval
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
In this fourth video of the Xpdf series, we discuss and demonstrate the PDFinfo utility, which retrieves the contents of a PDF's Info Dictionary, as well as some other information, including the page count. We show how to isolate the page count in a…

597 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question