Solved

GetWMI, Get WMI-Object: Access Denied 0x80070005 both Powershell & VBScript

Posted on 2010-08-27
20
16,337 Views
Last Modified: 2013-11-08
Experts-

I need lots of help on this one, as I am stumped.  =(
I've been trying to run 2 scripts that do the same thing, just to make sure it wasn't a script issue (in vbscripts and powershell). The script retrieves IP/DNS info from a remote machine and then prints it out.  The problem is I am running into an ACCESS IS DENIED error in both scripts. I believe its because there are security permission issues with the WMI object. It runs fine locally but not remotely.

Some info:
- I am using a domain admin account
- I am running it off a Windows XP SP3 box, attempting to connect to a Windows 2008 Server
- Windows Firewall is disabled.

Some debugging I have done:
- Both script works LOCALLY, but NOT REMOTELY
- ran script from workstation to server, it fails
- ran script from server to server, and still fails
- ran script from workstation to itself, it works
- WBEMTEST fails as well even with domain & enterprise admin credentials
- DCOM and WINMGMT service is on and running on both test systems
- DCOM security permissions are already set for local & remote access for Domain Admins (I basically set allow all for Everyone/Anonymous for testing)
- WINS security permissions are already set for local & remote access for Domain Admins (I basically set allow all for Everyone/Anonymous for testing)
-  Get_WMIObject -computername SERVERNAME -class "win32_process"   == Fails with same access denied error
-  gwmi win32_process -computername "SERVERNAME" -credential "domain\admin" == Fails with same access denied error
- Admins have full access to  Root/CIMV2 under the WMI control of the remote server.

I've attached both Powershell and VBScript code for reference.

VBS error: (on line 22 of first code snippet)
--------------------------------------------------
Number: 0x80070005
Facility: Win32
Description: Access is Denied

Under the Err object it spits out:
--------------
Error: 70
Description: Permission Denied
Source: Microsoft VBscript Runtime Error

Powershell error: (see attached BMP for full error)
---------------------------------------------------
Get-WMIObject: Access is Denied Exception from HResult: 0x80070005 (E_ACCESSDENIED)


Anyone have any other ideas as to what is causing this access denied issue?
VBSCRIPT:

'==========================================================================

' NAME: NIC_WMI_Config.vbs

' AUTHOR: pber, pber@pberblog.com

' DATE  : 6/6/2007

' COMMENT: <comment>

'==========================================================================

'On Error Resume Next

 

set args = WScript.Arguments

If args.Count = 0 Then

	strComputer = InputBox("Please enter a computer name","title", "MYSERVERNAME")

Else

	strComputer = args(0)

end if



WScript.Echo "---START---"







'Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")

Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2") <--- ERRORS HERE!!!!----



If Err.Number <> 0 Then

	WScript.Echo "Error: " & Err.Number

	WScript.echo "Desc: " & Err.Description

	WScript.Echo "Source: " & Err.Source

End If



'Set colNicConfigs = objWMIService.ExecQuery ("SELECT * FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled = True and DHCPEnabled=False")

Set colNicConfigs = objWMIService.ExecQuery ("SELECT * FROM Win32_NetworkAdapterConfiguration")



For Each objNicConfig In colNicConfigs



WScript.Echo "---For Loop---"



'	If not objNicConfig.DHCPEnabled then

		WScript.Echo strComputer

		WScript.Echo "MAC:   " & objNicConfig.MACaddress

		strIP = objNicConfig.ipaddress(0)

		WScript.Echo "IP:    " & strIP

		

		If Not IsNull(objNicConfig.DNSServerSearchOrder) Then

		   For i = 0 To UBound(objNicConfig.DNSServerSearchOrder)

		      WScript.Echo "DNS" & i+1 & ":  " & objNicConfig.DNSServerSearchOrder(i)

		   Next

		End If

		

		WScript.Echo "WINS1:  " & objNicConfig.WINSPrimaryServer

		WScript.Echo "WINS2:  " & objNicConfig.WINSSecondaryServer

		

		Set objAssociator = objNicConfig.Associators_

		For Each oNICAssociator In objAssociator

			strDisplayName = GetInterface(oNICAssociator.Path_.DisplayName)

			wscript.echo strDisplayName

		Next 

		strSubnet = GetSubnet(strip)

		WScript.Echo "Subnet: " & strsubnet



			strDNS1  = "psexec \\" & strComputer & " netsh interface ip set dns name=""" & strDisplayName & """ source=static addr=192.168.2.100 register=PRIMARY"

			strDNS2  = "psexec \\" & strComputer & " netsh interface ip add dns name=""" & strDisplayName & """ addr=192.168.1.100 index=1"





		strDump = "cmd /k psexec \\" & strComputer & " netsh interface ip dump"  'Export current IP Settings





		WScript.Echo strDNS1

		WScript.Echo strDNS2

		WScript.Echo strDump

 

		'set wshell = CreateObject("WScript.Shell") 

		'wshell.run strDNS1,0,1 '1,1 will wait for script to complete

		'wshell.run strDNS2,0,1 '1,1 will wait for script to complete



		'wshell.run strDump,1,1 '1,1 will wait for script to complete



		'set wshell = nothing 

 

'	end if

Next



WScript.Echo "---END---"

 

 Function GetInterface(strPath)

 	Set objWMIService = GetObject(strPath)

 	GetInterface = objWMIService.netConnectionID

 End Function

 

 Function GetSubnet(strIP)

 	tmp = Split(strip,".")

 	GetSubnet = tmp(2)

 End Function

Open in new window

POWERSHELL

==========================================

function Set-DNSWINS { 

$NICs = Get-WmiObject Win32_NetworkAdapterConfiguration -Computer $_ -Filter "IPEnabled=TRUE" 

 

foreach($NIC in $NICs) {echo $_ $NIC.DNSServerSearchOrder} 

} 

 

function Get-FileName { 

$computer = Read-Host "Filename of computer names?" 

return $computer 

} 

 

$f = Get-FileName 

Get-Content $f | foreach {Set-DNSWINS}

Open in new window

powershell.bmp
0
Comment
Question by:ThinkPaper
  • 11
  • 4
  • 2
  • +1
20 Comments
 
LVL 10

Accepted Solution

by:
rscottvan earned 500 total points
Comment Utility
From this article:
http://technet.microsoft.com/en-us/library/ee692772.aspx

0x80070005 (DCOM ACCESS_DENIED)
This error occurs when the connected user is not recognized or is restricted in some fashion by the remote server (for example, the user might be locked out). This happens most often when accounts are in different domains. Recent changes to WMI security can also cause this error to occur:

Blank passwords, formerly permitted, are not allowed in Windows XP and Windows Server 2003.

WMI does not allow asynchronous callbacks to a Windows 98 client. A call like SWbemServices.ExecNotificationQueryAsync from a Windows 98 computer to a Windows XP computer will result in an Access Denied error returned to the Windows 98 machine.

The DCOM configuration access setting might have been changed.

If the target computer is running Windows XP, the Forceguest value under the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa might be set to force the Guest account off (value is zero).






It sounds the server is running into a problem authenticating you.  Are you able to successfully logon directly to the W2k8 server?  (This would rule out any domain controller connectivity issues.)

You can also connect to WMI using WBEM Locator, which allows you to set credentials explicitly.  This would give you more info for troubleshooting...

wbemImpersonationLevelImpersonate = 3
wbemAuthenticationLevelPktPrivacy = 6

Set objLocator = CreateObject("WbemScripting.SWbemLocator")
Set objService = objLocator.ConnectServer _
    ("TargetComputer", "root\cimv2", "UserName", "Password")
objService.Security_.ImpersonationLevel = wbemImpersonationLevelImpersonate
objservices.Security_.AuthenticationLevel = wbemAuthenticationLevelPktPrivacy
0
 
LVL 16

Author Comment

by:ThinkPaper
Comment Utility
Thanks for the reply.

- Passwords are not blank
- Both server & workstation are on same domain, account is on same domain
- i can log on to both the workstation and server directly

With the WBEM locator, I still continue to get an Access Denied error:
Line: 5
Char: 1
Error: Access is denied
Code: 80070005
Source: SWbemLocator
0
 
LVL 16

Author Comment

by:ThinkPaper
Comment Utility
Tried all these but still Access Denied.  I am part of Domain Admin, Enterprise Admin and even directly added myself as Administrator on the server. I also tried a 2003 server instead of 2008 and still no dice. =(

And again, all this code works fine when run LOCALLY on the server (to itself) but does not run remotely.

Set objWMIService = GetObject("winmgmts:\\TargetComputer")
------------------------
Error: Permission denied: 'GetObject'
Code: 800A0046
Source: Microsoft VBScript runtime error

Set objWMIService = GetObject("winmgmts:\\DomainName\TargetComputer")
------------------------
Error: Permission denied: 'GetObject'
Code: 800A0046
Source: Microsoft VBScript runtime error

WMIC /NODE:"computer1" /USER:"domainname\username" /PASSWORD:"userpassword" OS GET Caption,CSDVersion,CSName
-------------------------
ERROR:
Code = 0x80070005
Description = Access is denied.
Facility =  Win32

I've also found out that while managing the server remotely via Computer Management console, I cannot access the WMI control (see attached picture). I also changed credentials to domain admin credential and it fails. But of course, logging in the actual server, it comes up fine. So we know for sure it's a remote access issue... the problem is I can't figure out what exactly is blocking this.

Anyone got any leads? Are there any group policies or other registries or anything like that, that could be preventing remote access? Windows firewall is not installed but we do have McAfee (but looking at the logs, it's not blocking anything).

wmierror.bmp
0
 
LVL 10

Expert Comment

by:rscottvan
Comment Utility
I'm not sure what you mean when you say "Windows firewall is not installed".  It is embedded in Server 2008.

Here's an article that might be of use:
http://msdn.microsoft.com/en-us/library/aa822854(VS.85).aspx
0
 
LVL 41

Expert Comment

by:graye
Comment Utility
I presume that both the XP box and the Server2008 box are in the same domain, and that you're using a domain account (not a local acount) during these tests?   The problem is that impersonation using a local account will not work on a remote Server 2008 box unless User Account Control (UAC) is disabled...  only domain accounts will work
0
 
LVL 16

Author Comment

by:ThinkPaper
Comment Utility
>>I'm not sure what you mean when you say "Windows firewall is not installed".  It is embedded in Server 2008.

I meant that windows firewall is disabled.
And yes, I am using a domain account as stated before. I am using the same account on all my testing/debugging.
0
 
LVL 16

Author Comment

by:ThinkPaper
Comment Utility
Sorry if I sounded snarky.. didn't mean to. =)
0
 
LVL 10

Expert Comment

by:rscottvan
Comment Utility
User Account Control could be affecting your testing.  Try adding the specific account you are using to the Local Administrators Group on the server.  (Rather than depending on the nested grouping through Domain Admins.)

Have a look here:
http://msdn.microsoft.com/en-us/library/aa826699(v=VS.85).aspx
0
 
LVL 16

Author Comment

by:ThinkPaper
Comment Utility
Yup, I tried that too unfortunately. Don't know if it matters, but I even attempted to use credentials of the actual local admin account of the server (i.e. servername\administrator instead of domain\myadmin ) -- that doesn't work either.

Some additional debugging -
- Re-enabled firewall and ran the netsh for DCOM/WMI exceptions and then re-disabled it again; just to make sure.
- Double checked registry for enableDCOM on both workstation and server = 1
- did all the steps listed here: http://www.tlhouse.co.uk/forums/index.php?board=18;action=display;threadid=153

i'm at my wits end... @__@;
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 6

Expert Comment

by:rwskas
Comment Utility
Sounds like an encryption requirement. Do you have something simliar to this in the event log:

"...The namespace is marked
with RequiresEncryption but the client connection was  attempted with an
authentication level below Pkt_Privacy. Re try the connection using
Pkt_Privacy authentication level."

Try adding -Authentication PacketPrivacy
Get-WmiObject Win32_NetworkAdapterConfiguration -Computer $_ -Filter "IPEnabled=TRUE" -Authentication PacketPrivacy

Open in new window

0
 
LVL 16

Author Comment

by:ThinkPaper
Comment Utility
I've tried it with the Pkt_Privacy as well . Pretty sure it's not a Pkt issue, since I think that provides a different error code than the 0x80070005.
0
 
LVL 16

Assisted Solution

by:ThinkPaper
ThinkPaper earned 0 total points
Comment Utility
Ok. I've got it working. However, I'm not sure what specific changes enabled it to work.

What I did was:
1) disabled ALL of our server group policies and then, configured the Local Security Policies and then reconfigured the DCOM permissions to basically allow for ALL/Anonymous/EVERYONE/INTERACTIVE/etc (even though I had done it previously it didnt seem to take)...   as stated in http://www.pcreview.co.uk/forums/thread-2164135.php :

1. Start -> Control Panel -> Administrative Tools -> Local Security Policy
2. Navigate to Security\Local Policies\Security Options
a. Network Access: Let everyone permissions apply to anonymous users - Set to Enabled
c. DCOM: Machine Access Restrictions - Add Anonymous, Everyone, Interactive, Network, System with full rights options set.
d. Network Access: Let everyone permissions apply to anonymous users - Set to Enabled
e. Network Access: Sharing security model for local accounts - Set to Classic

The last item, "Sharing Security Model", in particular appears to be important. If this still does not work then try adjusting the DCOM configuration:

DCOM Configuration
1. Click Start -> Run
2. Enter DCOMCNFG and press OK. This will open the DCOMCNFG window.
3. Browse down the tree to Console Root ' Component Services ' Computers ' My Computer
4. Right click on "My Computer" and select properties
5. Select the "Default Properties" tab
a. Enable Distributed COM on this computer - option is checked.
b. Default Authentication Level - set to Connect
c. Default Impersonation Level - Set to Identify
6. Select the "COM Security" tab
7. Click on Access Permissions ' Edit Default
a. Add "Anonymous", "Everyone", "Interactive", "Network", "System" with Local and Remote access permissions set.
8. Click on Launch and Activation Permissions ' Edit Default
a. Add "Anonymous", "Everyone", "Interactive", "Network", "System" with Local and Remote access permissions set.
9. Click on OK
10. Close the DCOMCNFG window
11. Reboot

This time around, the permissions seemed to stick. But of course this isn't the final solution. I can't just leave things open like this. The problem is now that I need to go back and lock this down. Now it's a matter of making a few changes and rebooting and seeing if it blocks it again.

And the other problem - how can I make changes to the permissions of DCOM to all servers/workstations? Is there a quick way to do this (group policy, register, etc) or do I need to do this manually?

And also -- exactly WHAT are the minimum settings are to enable remote WMI access??!
0
 
LVL 16

Author Comment

by:ThinkPaper
Comment Utility
Scratch that. I had thought something in the security settings or group policies did it, but then when I tried to use the script on another box (that did not have the new settings in it), it worked. So I'm back to square one. No idea why all of a sudden it started working for all our servers/workstations on 1 of our networks. Our other one is still having issues though since I can't find the root cause. I asked the network guys and they said they hadn't made any kind of changes that would affect it.
0
 
LVL 16

Author Comment

by:ThinkPaper
Comment Utility
I am still unclear as to why it's all of a sudden working on 1 network but not the others.

Does anyone have a list of WHAT configurations need to be set in order to enable remote WMI? I've seen postings where folks just go ahead and enable EVERYTHING and it works -- but I don't want to do that since we've got a requirements to lock our systems down. I'd like to know exactly what the minium requirements are -- in Group Policy, registry, etc??
0
 
LVL 16

Author Comment

by:ThinkPaper
Comment Utility
FYI - this is still unresolved as we have the same issues on our other network...
0
 
LVL 6

Expert Comment

by:rwskas
Comment Utility
I think that your problem has elevated to the point that it is too difficult to provide a solution via email communication
0
 
LVL 10

Assisted Solution

by:rscottvan
rscottvan earned 500 total points
Comment Utility
Have a look at this article, especially the section about Remote WMI.  I think you'll need to explicitly send credentials, because for whatever reason, you're not being authenticated properly all the time.
http://technet.microsoft.com/en-us/magazine/2007.05.powershell.aspx

If that doesn't do it, the other ideas I have are based on your comment that it works on "some networks".  Not knowing your topology, it's difficult to assess, but there may be a network problem.  Two ideas come to mind:
1.  a network firewall between the client and server machines.  If the two systems are in different security zones, the firewall could be preventing some traffic
2.  Domain Controller connectivity - if either system is not able to connect to a DC, the systems won't be able to "trust" each other.

HTH.
0
 
LVL 16

Author Comment

by:ThinkPaper
Comment Utility
Regarding troubleshooting, Orion Solarwinds has a helpful step-by-step guide for troubleshooting WMI access. WMI vbscripts are used in conjunction with it's web apps, but it also applies for general WMI access.

http://thwack.com/forums/48/orion-family/21/application-performance-monitor/11125/wmi-troubleshooting-guide/
http://www.solarwinds.com/support/apm/docs/APMWMITroubleshooting.pdf
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Synchronize a new Active Directory domain with an existing Office 365 tenant
This article explains how to prepare an HTML email signature template file containing dynamic placeholders for users' Azure AD data. Furthermore, it explains how to use this file to remotely set up a department-wide email signature policy in Office …
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now