WMI ‘Access Denied ‘ on remote computer

In my current project, I would like to monitor windows 2008 servers remotely and planned to use WMI. While my code worked locally, I got ‘Access Denied’ error while trying to access Windows 2008 servers.

Although, I enabled DCOM remote activation, I still received error and close to pulling my hair. Finally, I figured that permissions are not propagated and was set only at root level, causing an issue.

For everyone’s benefit, I listed steps below to configure DCOM and WMI to monitor remote servers

Configure DCOM


 

  • On the server to be managed click Start, click Run, type dcomcnfg, and then click OK.
  • In the Component Services dialog box, expand Component Services, expand Computers, and then right-click My Computer and click Properties.
  • In the My Computer Properties dialog box, click the COM Security tab.

Dcom Properties

  • Under Launch and Activation Permissions, click Edit Limits.
  • In the Launch Permission dialog box, select ‘Distributed COM Users‘. In the Allow column under Permissions for User, select Remote Launch and select Remote Activation, and then click OK.
  • Under Access Permissions, click Edit Limits.
  • In the Access Permission dialog box, select ‘Distributed COM Users‘. In the Allow column under Permissions for User, select Remote Access, and then click OK.
  • Add the user account to the Distributed COM Users Group in Computer Management, Local Users and Groups on the Server to be managed.
  • Add the user account to the Performance Log Users Group in Computer Management, Local Users and Groups on the Server to be managed.

Configure WMI


  • On the server to be managed click Start, click Run, type wmimgmt.msc, and then click OK.
  • In the console tree, right-click WMI Control, and then click Properties.
  • Click the Security tab.
  • Select the Root namespace and then click Security.
  • In the Security dialog box, click Add.
  • In the Select Users, Computers, or Groups dialog box, enter the user account. Click the Check Names button to verify your entry and then click OK.
  • In the Security dialog box, under Permissions, select ‘Enable Account’ and ‘Remote Enable’ for the user account.
  • Ensure the permissions propagate to all subnamespaces.
    • Under Security, Click Advanced and double click user/group to open properties
    • Select ‘This namespaces and subnamespaces’ to propagate permissions

Permission Settings

(Visited 932 times, 2 visits today)

Tagged: , , ,

Comments: 2

  1. GPickles October 8, 2017 at 7:03 pm Reply

    Hi. Thank you for this! I too was pulling my hair out. One variation I found that makes this process a bit easier is to replace the Configure DCOM section with simply adding the users/groups to the server’s local Distributed COM Users group. That plus the WMI security settings you outlined did the trick for me. Thanks again!

  2. Anjali Rajeev November 4, 2017 at 6:22 am Reply

    Hi, I can’t access remote machine whose user is not Administrator. Please help

    C:UsersAdministrator>wmic /node:192.168.2.215 cpu get loadpercentage
    Node – 192.168.2.215
    ERROR:
    Description = Access is denied.

Leave a Reply

Your email address will not be published. Required fields are marked *