This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Community FAQ
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 

WMI access problems

ssb
Engaged Sweeper

‎03-11-2009 12:54 AM

My 2003 servers all worked fine, but my XP SP3 workstations in the domain get WMI access denied. I ran dcomcnf and checked my computer properties for Default properties and Windows Managment Instrutmentation matches WMI how to. Ran WMDiag and I get this for the only errors. I am not sure what to add or where to add it? I noticed another post similiar to this, but I was still unable to get this resolved.

25287 10:49:58 (0) ** DCOM security for 'Microsoft WBEM UnSecured Apartment' (Launch & Activation Permissions): ........................... MODIFIED.
25288 10:49:58 (1) !! ERROR: Default trustee 'BUILTIN\ADMINISTRATORS' has been REMOVED!
25289 10:49:58 (0) ** - REMOVED ACE:
25290 10:49:58 (0) ** ACEType: &h0
25291 10:49:58 (0) ** ACCESS_ALLOWED_ACE_TYPE
25292 10:49:58 (0) ** ACEFlags: &h0
25293 10:49:58 (0) ** ACEMask: &h1
25294 10:49:58 (0) ** DCOM_RIGHT_EXECUTE
25295 10:49:58 (0) **
25296 10:49:58 (0) ** => The REMOVED ACE was part of the DEFAULT setup for the trustee.
25297 10:49:58 (0) ** Removing default security will cause some operations to fail!
25298 10:49:58 (0) ** It is possible to fix this issue by editing the security descriptor and adding the ACE.
25299 10:49:58 (0) ** For DCOM objects, this can be done with 'DCOMCNFG.EXE'.
25300 10:49:58 (0) **
25301 10:49:58 (0) ** DCOM security for 'Microsoft WBEM UnSecured Apartment' (Launch & Activation Permissions): ........................... MODIFIED.
25302 10:49:58 (1) !! ERROR: Default trustee 'NT AUTHORITY\INTERACTIVE' has been REMOVED!
25303 10:49:58 (0) ** - REMOVED ACE:
25304 10:49:58 (0) ** ACEType: &h0
25305 10:49:58 (0) ** ACCESS_ALLOWED_ACE_TYPE
25306 10:49:58 (0) ** ACEFlags: &h0
25307 10:49:58 (0) ** ACEMask: &h1
25308 10:49:58 (0) ** DCOM_RIGHT_EXECUTE
25309 10:49:58 (0) **
25310 10:49:58 (0) ** => The REMOVED ACE was part of the DEFAULT setup for the trustee.
25311 10:49:58 (0) ** Removing default security will cause some operations to fail!
25312 10:49:58 (0) ** It is possible to fix this issue by editing the security descriptor and adding the ACE.
25313 10:49:58 (0) ** For DCOM objects, this can be done with 'DCOMCNFG.EXE'.
25314 10:49:58 (0) **
25315 10:49:58 (0) ** DCOM security for 'Microsoft WBEM UnSecured Apartment' (Launch & Activation Permissions): ........................... MODIFIED.
25316 10:49:58 (1) !! ERROR: Default trustee 'NT AUTHORITY\SYSTEM' has been REMOVED!
25317 10:49:58 (0) ** - REMOVED ACE:
25318 10:49:58 (0) ** ACEType: &h0
25319 10:49:58 (0) ** ACCESS_ALLOWED_ACE_TYPE
25320 10:49:58 (0) ** ACEFlags: &h0
25321 10:49:58 (0) ** ACEMask: &h1
25322 10:49:58 (0) ** DCOM_RIGHT_EXECUTE
25323 10:49:58 (0) **
25324 10:49:58 (0) ** => The REMOVED ACE was part of the DEFAULT setup for the trustee.
25325 10:49:58 (0) ** Removing default security will cause some operations to fail!
25326 10:49:58 (0) ** It is possible to fix this issue by editing the security descriptor and adding the ACE.
25327 10:49:58 (0) ** For DCOM objects, this can be done with 'DCOMCNFG.EXE'.
25328 10:49:58 (0) **
25329 10:49:58 (0) ** WMI namespace security for 'ROOT/SERVICEMODEL': ..................................................................... MODIFIED.
25330 10:49:58 (1) !! ERROR: Actual trustee 'NT AUTHORITY\NETWORK SERVICE' DOES NOT match corresponding expected trustee rights (Actual->Default)
25331 10:49:58 (0) ** - ACTUAL ACE:
25332 10:49:58 (0) ** ACEType: &h0
25333 10:49:58 (0) ** ACCESS_ALLOWED_ACE_TYPE
25334 10:49:58 (0) ** ACEFlags: &h2
25335 10:49:58 (0) ** CONTAINER_INHERIT_ACE
25336 10:49:58 (0) ** ACEMask: &h1
25337 10:49:58 (0) ** WBEM_ENABLE
25338 10:49:58 (0) ** - EXPECTED ACE:
25339 10:49:58 (0) ** ACEType: &h0
25340 10:49:58 (0) ** ACCESS_ALLOWED_ACE_TYPE
25341 10:49:58 (0) ** ACEFlags: &h12
25342 10:49:58 (0) ** CONTAINER_INHERIT_ACE
25343 10:49:58 (0) ** INHERITED_ACE
25344 10:49:58 (0) ** ACEMask: &h13
25345 10:49:58 (0) ** WBEM_ENABLE
25346 10:49:58 (0) ** WBEM_METHOD_EXECUTE
25347 10:49:58 (0) ** WBEM_WRITE_PROVIDER
25348 10:49:58 (0) **
25349 10:49:58 (0) ** => The actual ACE has the right(s) '&h12 WBEM_METHOD_EXECUTE WBEM_WRITE_PROVIDER' removed!
25350 10:49:58 (0) ** This will cause some operations to fail!
25351 10:49:58 (0) ** It is possible to fix this issue by editing the security descriptor and adding the removed right.
25352 10:49:58 (0) ** For WMI namespaces, this can be done with 'WMIMGMT.MSC'.
25353 10:49:58 (0) ** Note: WMIDiag has no specific knowledge of this WMI namespace.
25354 10:49:58 (0) ** The security diagnostic is based on the WMI namespace expected defaults.
25355 10:49:58 (0) ** A specific WMI application can always require a security setup different
25356 10:49:58 (0) ** than the WMI security defaults.
25357 10:49:58 (0) **
25358 10:49:58 (0) ** WMI namespace security for 'ROOT/SERVICEMODEL': ..................................................................... MODIFIED.
25359 10:49:58 (1) !! ERROR: Actual trustee 'NT AUTHORITY\LOCAL SERVICE' DOES NOT match corresponding expected trustee rights (Actual->Default)
25360 10:49:58 (0) ** - ACTUAL ACE:
25361 10:49:58 (0) ** ACEType: &h0
25362 10:49:58 (0) ** ACCESS_ALLOWED_ACE_TYPE
25363 10:49:58 (0) ** ACEFlags: &h2
25364 10:49:58 (0) ** CONTAINER_INHERIT_ACE
25365 10:49:58 (0) ** ACEMask: &h1
25366 10:49:58 (0) ** WBEM_ENABLE
25367 10:49:58 (0) ** - EXPECTED ACE:
25368 10:49:58 (0) ** ACEType: &h0
25369 10:49:58 (0) ** ACCESS_ALLOWED_ACE_TYPE
25370 10:49:58 (0) ** ACEFlags: &h12
25371 10:49:58 (0) ** CONTAINER_INHERIT_ACE
25372 10:49:58 (0) ** INHERITED_ACE
25373 10:49:58 (0) ** ACEMask: &h13
25374 10:49:58 (0) ** WBEM_ENABLE
25375 10:49:58 (0) ** WBEM_METHOD_EXECUTE
25376 10:49:58 (0) ** WBEM_WRITE_PROVIDER
25377 10:49:58 (0) **
25378 10:49:58 (0) ** => The actual ACE has the right(s) '&h12 WBEM_METHOD_EXECUTE WBEM_WRITE_PROVIDER' removed!
25379 10:49:58 (0) ** This will cause some operations to fail!
25380 10:49:58 (0) ** It is possible to fix this issue by editing the security descriptor and adding the removed right.
25381 10:49:58 (0) ** For WMI namespaces, this can be done with 'WMIMGMT.MSC'.
25382 10:49:58 (0) ** Note: WMIDiag has no specific knowledge of this WMI namespace.
25383 10:49:58 (0) ** The security diagnostic is based on the WMI namespace expected defaults.
25384 10:49:58 (0) ** A specific WMI application can always require a security setup different
25385 10:49:58 (0) ** than the WMI security defaults.
25386 10:49:58 (0) **
25387 10:49:58 (0) ** WMI namespace security for 'ROOT/SERVICEMODEL': ..................................................................... MODIFIED.
25388 10:49:58 (1) !! ERROR: Default trustee 'EVERYONE' has been REMOVED!
25389 10:49:58 (0) ** - REMOVED ACE:
25390 10:49:58 (0) ** ACEType: &h0
25391 10:49:58 (0) ** ACCESS_ALLOWED_ACE_TYPE
25392 10:49:58 (0) ** ACEFlags: &h12
25393 10:49:58 (0) ** CONTAINER_INHERIT_ACE
25394 10:49:58 (0) ** INHERITED_ACE
25395 10:49:58 (0) ** ACEMask: &h13
25396 10:49:58 (0) ** WBEM_ENABLE
25397 10:49:58 (0) ** WBEM_METHOD_EXECUTE
25398 10:49:58 (0) ** WBEM_WRITE_PROVIDER
25399 10:49:58 (0) **
25400 10:49:58 (0) ** => The REMOVED ACE was part of the DEFAULT setup for the trustee.
25401 10:49:58 (0) ** Removing default security will cause some operations to fail!
25402 10:49:58 (0) ** It is possible to fix this issue by editing the security descriptor and adding the ACE.
25403 10:49:58 (0) ** For WMI namespaces, this can be done with 'WMIMGMT.MSC'.
25404 10:49:58 (0) ** Note: WMIDiag has no specific knowledge of this WMI namespace.
25405 10:49:58 (0) ** The security diagnostic is based on the WMI namespace expected defaults.
25406 10:49:58 (0) ** A specific WMI application can always require a security setup different
25407 10:49:58 (0) ** than the WMI security defaults.
Labels:
0 Kudos
1 REPLY 1
ssb
Engaged Sweeper

‎03-11-2009 01:39 AM

Looks like I have something going on in AD policy that was overwriting local policy. I fixed it by creating a test OS. I Put a test system that didnt work into that OU. I created new policy for that OU.

In the new policy I enabled:
windows settings -> security settings -> local policies -> security options ->
DCOM: Machine access restrictions -> policy setting -> check Define this policy setting and took defaults plus added the service account that had been used for LanSweeper.

defaults:
anonymous login -> allow local access and remote access
distributed com users -> allow local access and remote access
everyone -> allow local access and remote access
LSAdmin -> allow local access and remote access

DCOM: Mach Launch Restictions -> policy setting -> check Define this policy setting and took defaults
administrators -> local launch, remote lauch, local activation, remote activiation
distributed com users -> local launch, remote lauch, local activation, remote activiation
everyone -> local launch, local activation
LSAdmin -> local launch, remote lauch, local activation, remote activiation

That corrected what ever the problem was for the workstation in the test OU. I then added those policy settings to my normal worstation policy, and problems solved.
0 Kudos

Archive

This board contains archived posts from the retired Lansweeper Forum and Insiders Community.

New to Lansweeper?

Try Lansweeper For Free

Experience Lansweeper with your own data.
Sign up now for a 14-day free trial.

Try Now
Top