Simple-Tech.info

You receive an Access is denied error when you want to connect a remote computer or server with WMI and use specific user credentials, Number: 0x80070005, Access is denied 

Rate this Content 0

     

0 Votes

Give feedback on this content Email Address (Optional)

SYMTOMS

You receive an Access is denied error when you want to connect a remote computer or server with WMI and use a specific (different) user credentials.

In my case I have the same error from "What’s UP", "VBS" and from the "Windows Management Instrumentation Tester".

 

Failed to connect to [server_name]. User=[the user name] Error=Access is denied

 

 

 

Number: 0x80070005

Facility : Win32

Description : Access is denied

 

 

CAUSE

The principal cause of this problem are :

1. The MSDTC service is not started.
2. The option “Enable Distributed COM on this computer” is not enabled.
3. The permissions on “My Computer” in “component services” for “Access Permissions and Launch and Activation Permissions” are not set correctly.
4. The security permissions in “root” of “Windows Management Infrastructure WMI Control (Local)” are not set correctly.
5. Other cause.

RESOLUTION

The MSDTC service is not started

1. Start the service “Distributed Transaction Coordinator” form services console or with command “net start msdtc”.
2. Test if connectivity is working with “Windows Management Instrumentation Tester”, to do this see the last section of this document.

The option “Enable Distributed COM on this computer” is not enabled

1. Open “Component Services” from “Administrative Tools” or with command “C:\WINDOWS\system32\Com\comexp.msc”.
2. Expand “Computer” section.
3. Select “My Computer” object and open “Properties” dialog box.
4. Go to “Default Properties” tab.
5. Enable “Enable Distributed COM on this computer” checkbox.
6. Choose “Connect” for “Default Authentication Level” and “Identify” for “Default Impersonation Level”
7. !!! MANDATORY !!! REBOOT COMPUTER
8. Test if connectivity is working with “Windows Management Instrumentation Tester”, to do this see the last section of this document.

 

 

The permissions on “My Computer” in “component services” for “Access Permissions and Launch and Activation Permissions” are not set correctly

1. Open “Component Services” from “Administrative Tools” or with command “C:\WINDOWS\system32\Com\comexp.msc”.
2. Expand “Computer” section.
3. Select “My Computer” object and open “Properties” dialog box.
4. Go to “COM Security” tab.

 

 

5. Set theses permissions for “Edit Limits” and “Edit Default” in section “Access Permissions”

Edit Limits

Anonymous Logon => Local Access + Remote Access

Distributed COM Users => Local Access + Remote Access

Everyone => Local Access + Remote Access

 

Edit Default

SELF => Local Access + Remote Access

SYSTEM => Remote Access

6. Set theses permissions for “Edit Limits” and “Edit Default” in section “Launch and Activation Permissions”

Edit Limits

Administrators => Local/Remote Launch + Local/Remote Activation

Distributed COM Users => Local/Remote Launch + Local/Remote Activation

Everyone=> Local Launch + Local Activation

Offer Remote Assistance Helpers => Local/Remote Launch + Local/Remote Activation

 

Edit Default

Administrators => Local/Remote Launch + Local/Remote Activation

INTERACTIVE => Local/Remote Launch + Local/Remote Activation

SYSTEM => Local/Remote Launch + Local/Remote Activation

9. !!! MANDATORY !!! REBOOT COMPUTER
10. Test if connectivity is working with “Windows M;anagement Instrumentation Tester”, to do this see the last section of this document.

 

The security permissions in “root” of “Windows Management Infrastructure WMI Control (Local)” are not set correctly

1. Open “Windows Management Infrastructure (WMI)” with command “C:\WINDOWS\system32\wmimgmt.msc”.
2. Select “WMI Control (Local)” object and open “Properties” dialog box.
3. Got to “Security” tab.
4. Select “Root”.
5. Click on “Security” button.
6. Set theses permissions :

Administrators => Check all options

Everyone => Execute Methods + Provider Write + Enable Account

LOCAL SERVICE => Execute Methods + Provider Write + Enable Account

NETWORK SERVICE => Execute Methods + Provider Write + Enable Account

7. Restart “Windows Management Instrumentation” service.
8. Test if connectivity is working with “Windows Management Instrumentation Tester”, to do this see the last section of this document.

WARNING

In some case you must add the user do you use for WMI connection with “all options” checked in step “6”.

 

 

Other cause

If you are on this case before all download “The WMI Diagnosis Utility (WMIDIAG)” from Microsoft web site.

 

1. Stop all “Windows Management Instrumentation” services.
2. Backup and delete the content of WMI log folder “C:\WINDOWS\system32\wbem\Logs”.
3. Start all “Windows Management Instrumentation” services.
4. Extract “The WMI Diagnosis Utility (WMIDIAG)” where you want.
5. Open a command run the extracted file “WMIDiag.vbs”, sample “cscript WMIDiag.vbs”.
6. Wait the end of process, this take several minutes.
7. Open folder “%USERPROFILE%\Local Settings\Temp” and edit file “WMIDIAG-V2.0_2003_.SRV.RTM.32_SERVER_DATE_TIME.LOG” in notepad.
8. Find string “!! WARNING:” in document and correct all problems you found, for more information’s see section “How Do I run WMI Diagnosis Tool To troubleshoot WMI” of document “WMIDiag.doc”.

 

 

Sample of error in log file

38078 10:24:54 (0) ** WMI namespace security for 'ROOT/SERVICEMODEL': ..................................................................... MODIFIED.

38079 10:24:54 (1) !! ERROR: Default trustee 'EVERYONE' has been REMOVED!

38080 10:24:54 (0) **        - REMOVED ACE:

38081 10:24:54 (0) **          ACEType: &h0

38082 10:24:54 (0) **                    ACCESS_ALLOWED_ACE_TYPE

38083 10:24:54 (0) **          ACEFlags: &h12

38084 10:24:54 (0) **                    CONTAINER_INHERIT_ACE

38085 10:24:54 (0) **                    INHERITED_ACE

38086 10:24:54 (0) **          ACEMask: &h13

38087 10:24:54 (0) **                    WBEM_ENABLE

38088 10:24:54 (0) **                    WBEM_METHOD_EXECUTE

38089 10:24:54 (0) **                    WBEM_WRITE_PROVIDER

38090 10:24:54 (0) **

38091 10:24:54 (0) ** => The REMOVED ACE was part of the DEFAULT setup for the trustee.

38092 10:24:54 (0) **    Removing default security will cause some operations to fail!

38093 10:24:54 (0) **    It is possible to fix this issue by editing the security descriptor and adding the ACE.

38094 10:24:54 (0) **    For WMI namespaces, this can be done with 'WMIMGMT.MSC'.

38095 10:24:54 (0) ** Note: WMIDiag has no specific knowledge of this WMI namespace.

38096 10:24:54 (0) **       The security diagnostic is based on the WMI namespace expected defaults.

38097 10:24:54 (0) **       A specific WMI application can always require a security setup different

38098 10:24:54 (0) **       than the WMI security defaults.

38099 10:24:54 (0) **

 

Windows Management Instrumentation Tester

1. Logon on a computer in your network not the computer where you have the problem.
2. Start application “wbemtest.exe” from run command in start menu.
3. Click on “Connect” button.
4. For a remote connection use \\the_computer_name\root\cimv2 in “Namespace”.
5. In credentials set the user information with “domain\username” format.
6. Set the password.
7. Click “Connect” button.

 

 

 

Simple-Tech.info

Previous Post << >> Next Post

Feedback

Title

Name

URL

Remember Me?

Comments

 Enter the code shown: