In my current project, I would like to monitor windows 2008 servers remotely and planned to use WMI. While my code worked locally, I got ‘Access Denied’ error while trying to access Windows 2008 servers.
Although, I enabled DCOM remote activation, I still received error and close to pulling my hair. Finally, I figured that permissions are not propagated and was set only at root level, causing an issue.
For everyone’s benefit, I listed steps below to configure DCOM and WMI to monitor remote servers
- On the server to be managed click Start, click Run, type dcomcnfg, and then click OK.
- In the Component Services dialog box, expand Component Services, expand Computers, and then right-click My Computer and click Properties.
- In the My Computer Properties dialog box, click the COM Security tab.
- Under Launch and Activation Permissions, click Edit Limits.
- In the Launch Permission dialog box, select ‘Distributed COM Users‘. In the Allow column under Permissions for User, select Remote Launch and select Remote Activation, and then click OK.
- Under Access Permissions, click Edit Limits.
- In the Access Permission dialog box, select ‘Distributed COM Users‘. In the Allow column under Permissions for User, select Remote Access, and then click OK.
- Add the user account to the Distributed COM Users Group in Computer Management, Local Users and Groups on the Server to be managed.
- Add the user account to the Performance Log Users Group in Computer Management, Local Users and Groups on the Server to be managed.
- On the server to be managed click Start, click Run, type wmimgmt.msc, and then click OK.
- In the console tree, right-click WMI Control, and then click Properties.
- Click the Security tab.
- Select the Root namespace and then click Security.
- In the Security dialog box, click Add.
- In the Select Users, Computers, or Groups dialog box, enter the user account. Click the Check Names button to verify your entry and then click OK.
- In the Security dialog box, under Permissions, select ‘Enable Account’ and ‘Remote Enable’ for the user account.
- Ensure the permissions propagate to all subnamespaces.
- Under Security, Click Advanced and double click user/group to open properties
- Select ‘This namespaces and subnamespaces’ to propagate permissions