GetWMI, Get WMI-Object: Access Denied 0x80070005 both Powershell & VBScript
Experts-
I need lots of help on this one, as I am stumped. =(
I've been trying to run 2 scripts that do the same thing, just to make sure it wasn't a script issue (in vbscripts and powershell). The script retrieves IP/DNS info from a remote machine and then prints it out. The problem is I am running into an ACCESS IS DENIED error in both scripts. I believe its because there are security permission issues with the WMI object. It runs fine locally but not remotely.
Some info:
- I am using a domain admin account
- I am running it off a Windows XP SP3 box, attempting to connect to a Windows 2008 Server
- Windows Firewall is disabled.
Some debugging I have done:
- Both script works LOCALLY, but NOT REMOTELY
- ran script from workstation to server, it fails
- ran script from server to server, and still fails
- ran script from workstation to itself, it works
- WBEMTEST fails as well even with domain & enterprise admin credentials
- DCOM and WINMGMT service is on and running on both test systems
- DCOM security permissions are already set for local & remote access for Domain Admins (I basically set allow all for Everyone/Anonymous for testing)
- WINS security permissions are already set for local & remote access for Domain Admins (I basically set allow all for Everyone/Anonymous for testing)
- Get_WMIObject -computername SERVERNAME -class "win32_process" == Fails with same access denied error
- gwmi win32_process -computername "SERVERNAME" -credential "domain\admin" == Fails with same access denied error
- Admins have full access to Root/CIMV2 under the WMI control of the remote server.
I've attached both Powershell and VBScript code for reference.
VBS error: (on line 22 of first code snippet)
--------------------------
Number: 0x80070005
Facility: Win32
Description: Access is Denied
Under the Err object it spits out:
--------------
Error: 70
Description: Permission Denied
Source: Microsoft VBscript Runtime Error
Powershell error: (see attached BMP for full error)
--------------------------
Get-WMIObject: Access is Denied Exception from HResult: 0x80070005 (E_ACCESSDENIED)
Anyone have any other ideas as to what is causing this access denied issue?
I need lots of help on this one, as I am stumped. =(
I've been trying to run 2 scripts that do the same thing, just to make sure it wasn't a script issue (in vbscripts and powershell). The script retrieves IP/DNS info from a remote machine and then prints it out. The problem is I am running into an ACCESS IS DENIED error in both scripts. I believe its because there are security permission issues with the WMI object. It runs fine locally but not remotely.
Some info:
- I am using a domain admin account
- I am running it off a Windows XP SP3 box, attempting to connect to a Windows 2008 Server
- Windows Firewall is disabled.
Some debugging I have done:
- Both script works LOCALLY, but NOT REMOTELY
- ran script from workstation to server, it fails
- ran script from server to server, and still fails
- ran script from workstation to itself, it works
- WBEMTEST fails as well even with domain & enterprise admin credentials
- DCOM and WINMGMT service is on and running on both test systems
- DCOM security permissions are already set for local & remote access for Domain Admins (I basically set allow all for Everyone/Anonymous for testing)
- WINS security permissions are already set for local & remote access for Domain Admins (I basically set allow all for Everyone/Anonymous for testing)
- Get_WMIObject -computername SERVERNAME -class "win32_process" == Fails with same access denied error
- gwmi win32_process -computername "SERVERNAME" -credential "domain\admin" == Fails with same access denied error
- Admins have full access to Root/CIMV2 under the WMI control of the remote server.
I've attached both Powershell and VBScript code for reference.
VBS error: (on line 22 of first code snippet)
--------------------------
Number: 0x80070005
Facility: Win32
Description: Access is Denied
Under the Err object it spits out:
--------------
Error: 70
Description: Permission Denied
Source: Microsoft VBscript Runtime Error
Powershell error: (see attached BMP for full error)
--------------------------
Get-WMIObject: Access is Denied Exception from HResult: 0x80070005 (E_ACCESSDENIED)
Anyone have any other ideas as to what is causing this access denied issue?
VBSCRIPT:
'==========================================================================
' NAME: NIC_WMI_Config.vbs
' AUTHOR: pber, pber@pberblog.com
' DATE : 6/6/2007
' COMMENT: <comment>
'==========================================================================
'On Error Resume Next
set args = WScript.Arguments
If args.Count = 0 Then
strComputer = InputBox("Please enter a computer name","title", "MYSERVERNAME")
Else
strComputer = args(0)
end if
WScript.Echo "---START---"
'Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2") <--- ERRORS HERE!!!!----
If Err.Number <> 0 Then
WScript.Echo "Error: " & Err.Number
WScript.echo "Desc: " & Err.Description
WScript.Echo "Source: " & Err.Source
End If
'Set colNicConfigs = objWMIService.ExecQuery ("SELECT * FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled = True and DHCPEnabled=False")
Set colNicConfigs = objWMIService.ExecQuery ("SELECT * FROM Win32_NetworkAdapterConfiguration")
For Each objNicConfig In colNicConfigs
WScript.Echo "---For Loop---"
' If not objNicConfig.DHCPEnabled then
WScript.Echo strComputer
WScript.Echo "MAC: " & objNicConfig.MACaddress
strIP = objNicConfig.ipaddress(0)
WScript.Echo "IP: " & strIP
If Not IsNull(objNicConfig.DNSServerSearchOrder) Then
For i = 0 To UBound(objNicConfig.DNSServerSearchOrder)
WScript.Echo "DNS" & i+1 & ": " & objNicConfig.DNSServerSearchOrder(i)
Next
End If
WScript.Echo "WINS1: " & objNicConfig.WINSPrimaryServer
WScript.Echo "WINS2: " & objNicConfig.WINSSecondaryServer
Set objAssociator = objNicConfig.Associators_
For Each oNICAssociator In objAssociator
strDisplayName = GetInterface(oNICAssociator.Path_.DisplayName)
wscript.echo strDisplayName
Next
strSubnet = GetSubnet(strip)
WScript.Echo "Subnet: " & strsubnet
strDNS1 = "psexec \\" & strComputer & " netsh interface ip set dns name=""" & strDisplayName & """ source=static addr=192.168.2.100 register=PRIMARY"
strDNS2 = "psexec \\" & strComputer & " netsh interface ip add dns name=""" & strDisplayName & """ addr=192.168.1.100 index=1"
strDump = "cmd /k psexec \\" & strComputer & " netsh interface ip dump" 'Export current IP Settings
WScript.Echo strDNS1
WScript.Echo strDNS2
WScript.Echo strDump
'set wshell = CreateObject("WScript.Shell")
'wshell.run strDNS1,0,1 '1,1 will wait for script to complete
'wshell.run strDNS2,0,1 '1,1 will wait for script to complete
'wshell.run strDump,1,1 '1,1 will wait for script to complete
'set wshell = nothing
' end if
Next
WScript.Echo "---END---"
Function GetInterface(strPath)
Set objWMIService = GetObject(strPath)
GetInterface = objWMIService.netConnectionID
End Function
Function GetSubnet(strIP)
tmp = Split(strip,".")
GetSubnet = tmp(2)
End Function
POWERSHELL
==========================================
function Set-DNSWINS {
$NICs = Get-WmiObject Win32_NetworkAdapterConfiguration -Computer $_ -Filter "IPEnabled=TRUE"
foreach($NIC in $NICs) {echo $_ $NIC.DNSServerSearchOrder}
}
function Get-FileName {
$computer = Read-Host "Filename of computer names?"
return $computer
}
$f = Get-FileName
Get-Content $f | foreach {Set-DNSWINS}
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Tried all these but still Access Denied. I am part of Domain Admin, Enterprise Admin and even directly added myself as Administrator on the server. I also tried a 2003 server instead of 2008 and still no dice. =(
And again, all this code works fine when run LOCALLY on the server (to itself) but does not run remotely.
Set objWMIService = GetObject("winmgmts:\\Targ
------------------------
Error: Permission denied: 'GetObject'
Code: 800A0046
Source: Microsoft VBScript runtime error
Set objWMIService = GetObject("winmgmts:\\Doma
------------------------
Error: Permission denied: 'GetObject'
Code: 800A0046
Source: Microsoft VBScript runtime error
WMIC /NODE:"computer1" /USER:"domainname\username
-------------------------
ERROR:
Code = 0x80070005
Description = Access is denied.
Facility = Win32
I've also found out that while managing the server remotely via Computer Management console, I cannot access the WMI control (see attached picture). I also changed credentials to domain admin credential and it fails. But of course, logging in the actual server, it comes up fine. So we know for sure it's a remote access issue... the problem is I can't figure out what exactly is blocking this.
Anyone got any leads? Are there any group policies or other registries or anything like that, that could be preventing remote access? Windows firewall is not installed but we do have McAfee (but looking at the logs, it's not blocking anything).
wmierror.bmp
And again, all this code works fine when run LOCALLY on the server (to itself) but does not run remotely.
Set objWMIService = GetObject("winmgmts:\\Targ
------------------------
Error: Permission denied: 'GetObject'
Code: 800A0046
Source: Microsoft VBScript runtime error
Set objWMIService = GetObject("winmgmts:\\Doma
------------------------
Error: Permission denied: 'GetObject'
Code: 800A0046
Source: Microsoft VBScript runtime error
WMIC /NODE:"computer1" /USER:"domainname\username
-------------------------
ERROR:
Code = 0x80070005
Description = Access is denied.
Facility = Win32
I've also found out that while managing the server remotely via Computer Management console, I cannot access the WMI control (see attached picture). I also changed credentials to domain admin credential and it fails. But of course, logging in the actual server, it comes up fine. So we know for sure it's a remote access issue... the problem is I can't figure out what exactly is blocking this.
Anyone got any leads? Are there any group policies or other registries or anything like that, that could be preventing remote access? Windows firewall is not installed but we do have McAfee (but looking at the logs, it's not blocking anything).
wmierror.bmp
I'm not sure what you mean when you say "Windows firewall is not installed". It is embedded in Server 2008.
Here's an article that might be of use:
http://msdn.microsoft.com/en-us/library/aa822854(VS.85).aspx
Here's an article that might be of use:
http://msdn.microsoft.com/en-us/library/aa822854(VS.85).aspx
I presume that both the XP box and the Server2008 box are in the same domain, and that you're using a domain account (not a local acount) during these tests? The problem is that impersonation using a local account will not work on a remote Server 2008 box unless User Account Control (UAC) is disabled... only domain accounts will work
ASKER
>>I'm not sure what you mean when you say "Windows firewall is not installed". It is embedded in Server 2008.
I meant that windows firewall is disabled.
And yes, I am using a domain account as stated before. I am using the same account on all my testing/debugging.
I meant that windows firewall is disabled.
And yes, I am using a domain account as stated before. I am using the same account on all my testing/debugging.
ASKER
Sorry if I sounded snarky.. didn't mean to. =)
User Account Control could be affecting your testing. Try adding the specific account you are using to the Local Administrators Group on the server. (Rather than depending on the nested grouping through Domain Admins.)
Have a look here:
http://msdn.microsoft.com/en-us/library/aa826699(v=VS.85).aspx
Have a look here:
http://msdn.microsoft.com/en-us/library/aa826699(v=VS.85).aspx
ASKER
Yup, I tried that too unfortunately. Don't know if it matters, but I even attempted to use credentials of the actual local admin account of the server (i.e. servername\administrator instead of domain\myadmin ) -- that doesn't work either.
Some additional debugging -
- Re-enabled firewall and ran the netsh for DCOM/WMI exceptions and then re-disabled it again; just to make sure.
- Double checked registry for enableDCOM on both workstation and server = 1
- did all the steps listed here: http://www.tlhouse.co.uk/forums/index.php?board=18;action=display;threadid=153
i'm at my wits end... @__@;
Some additional debugging -
- Re-enabled firewall and ran the netsh for DCOM/WMI exceptions and then re-disabled it again; just to make sure.
- Double checked registry for enableDCOM on both workstation and server = 1
- did all the steps listed here: http://www.tlhouse.co.uk/forums/index.php?board=18;action=display;threadid=153
i'm at my wits end... @__@;
Sounds like an encryption requirement. Do you have something simliar to this in the event log:
"...The namespace is marked
with RequiresEncryption but the client connection was attempted with an
authentication level below Pkt_Privacy. Re try the connection using
Pkt_Privacy authentication level."
Try adding -Authentication PacketPrivacy
"...The namespace is marked
with RequiresEncryption but the client connection was attempted with an
authentication level below Pkt_Privacy. Re try the connection using
Pkt_Privacy authentication level."
Try adding -Authentication PacketPrivacy
Get-WmiObject Win32_NetworkAdapterConfiguration -Computer $_ -Filter "IPEnabled=TRUE" -Authentication PacketPrivacy
ASKER
I've tried it with the Pkt_Privacy as well . Pretty sure it's not a Pkt issue, since I think that provides a different error code than the 0x80070005.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Scratch that. I had thought something in the security settings or group policies did it, but then when I tried to use the script on another box (that did not have the new settings in it), it worked. So I'm back to square one. No idea why all of a sudden it started working for all our servers/workstations on 1 of our networks. Our other one is still having issues though since I can't find the root cause. I asked the network guys and they said they hadn't made any kind of changes that would affect it.
ASKER
I am still unclear as to why it's all of a sudden working on 1 network but not the others.
Does anyone have a list of WHAT configurations need to be set in order to enable remote WMI? I've seen postings where folks just go ahead and enable EVERYTHING and it works -- but I don't want to do that since we've got a requirements to lock our systems down. I'd like to know exactly what the minium requirements are -- in Group Policy, registry, etc??
Does anyone have a list of WHAT configurations need to be set in order to enable remote WMI? I've seen postings where folks just go ahead and enable EVERYTHING and it works -- but I don't want to do that since we've got a requirements to lock our systems down. I'd like to know exactly what the minium requirements are -- in Group Policy, registry, etc??
ASKER
FYI - this is still unresolved as we have the same issues on our other network...
I think that your problem has elevated to the point that it is too difficult to provide a solution via email communication
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Regarding troubleshooting, Orion Solarwinds has a helpful step-by-step guide for troubleshooting WMI access. WMI vbscripts are used in conjunction with it's web apps, but it also applies for general WMI access.
http://thwack.com/forums/48/orion-family/21/application-performance-monitor/11125/wmi-troubleshooting-guide/
http://www.solarwinds.com/support/apm/docs/APMWMITroubleshooting.pdf
http://thwack.com/forums/48/orion-family/21/application-performance-monitor/11125/wmi-troubleshooting-guide/
http://www.solarwinds.com/support/apm/docs/APMWMITroubleshooting.pdf
ASKER
- Passwords are not blank
- Both server & workstation are on same domain, account is on same domain
- i can log on to both the workstation and server directly
With the WBEM locator, I still continue to get an Access Denied error:
Line: 5
Char: 1
Error: Access is denied
Code: 80070005
Source: SWbemLocator