Re: WMI / DCOM 'ACCESS DENIED'
- From: "Roger Abell [MVP]" <mvpNoSpam@xxxxxxx>
- Date: Thu, 1 Mar 2007 00:26:58 -0700
"fixitchris via WinServerKB.com" <u28526@uwe> wrote in message
news:6e7dbdee9789b@xxxxxx
XP sp2....
I did restore the defaults with Security config and analysis snap-in. How
can that be bad?
This started to happen, coincidentally after I applied a GPO to the whole
domain ( with a WMI filter) .
--
Message posted via WinServerKB.com
http://www.winserverkb.com/Uwe/Forums.aspx/windows-security/200702/1
http://support.microsoft.com/kb/313222
notice that this does not reset _all_ settings back to what they
were set to during install. Also, this action can wipe out needed
post-install changes.
Why didn't just unlinking the GPO effect resolution?
From the event message you posted it appears that theNetwork Service has no permissions on the winmgmt
service, at least it does not have Read Control which
I assume means it does not have any.
http://support.microsoft.com/kb/894794
Probably explains the problem you have bumped up
against, but obtaining the hotfix will not resolve your
problem (it has already happened, the hotfix replaces
the sce editor so it will not happen again).
You should grant full to network service on winmgmt
Here is some info using sc in a cmd window from this XP SP2
C:\>sc qc winmgmt
[SC] GetServiceConfig SUCCESS
SERVICE_NAME: winmgmt
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Windows Management Instrumentation
DEPENDENCIES : RPCSS
: Eventlog
SERVICE_START_NAME : LocalSystem
C:\>sc sdshow winmgmt
D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)
Notice that on this machine winmgmt is configured to run a Local System,
not Network Service (which you event log message indicated was not
granted the sufficient permissions). In the SDDL shown just above the
Network Service would only have the permissions given to Authenticated
Users (the grouping ending in AU).
The SDDL shown above (be careful about line breaks) should be usable
in a sc sdset command.
Roger
.
- Follow-Ups:
- Re: WMI / DCOM 'ACCESS DENIED'
- From: fixitchris via WinServerKB.com
- Re: WMI / DCOM 'ACCESS DENIED'
- Prev by Date: Re: Web App Security Model.
- Next by Date: Re: Web App Security Model.
- Previous by thread: Re: Web App Security Model.
- Next by thread: Re: WMI / DCOM 'ACCESS DENIED'
- Index(es):
