WMI ‘Access Denied ‘ on remote computer

In my current project, I would like to monitor windows 2008 servers remotely and planned to use WMI. While my code worked locally, I got ‘Access Denied’ error while trying to access Windows 2008 servers.

Although, I enabled DCOM remote activation, I still received error and close to pulling my hair. Finally, I figured that permissions are not propagated and was set only at root level, causing an issue.

For everyone’s benefit, I listed steps below to configure DCOM and WMI to monitor remote servers

Configure DCOM


 

  • On the server to be managed click Start, click Run, type dcomcnfg, and then click OK.
  • In the Component Services dialog box, expand Component Services, expand Computers, and then right-click My Computer and click Properties.
  • In the My Computer Properties dialog box, click the COM Security tab.

Dcom Properties

  • Under Launch and Activation Permissions, click Edit Limits.
  • In the Launch Permission dialog box, select ‘Distributed COM Users‘. In the Allow column under Permissions for User, select Remote Launch and select Remote Activation, and then click OK.
  • Under Access Permissions, click Edit Limits.
  • In the Access Permission dialog box, select ‘Distributed COM Users‘. In the Allow column under Permissions for User, select Remote Access, and then click OK.
  • Add the user account to the Distributed COM Users Group in Computer Management, Local Users and Groups on the Server to be managed.
  • Add the user account to the Performance Log Users Group in Computer Management, Local Users and Groups on the Server to be managed.

Configure WMI


  • On the server to be managed click Start, click Run, type wmimgmt.msc, and then click OK.
  • In the console tree, right-click WMI Control, and then click Properties.
  • Click the Security tab.
  • Select the Root namespace and then click Security.
  • In the Security dialog box, click Add.
  • In the Select Users, Computers, or Groups dialog box, enter the user account. Click the Check Names button to verify your entry and then click OK.
  • In the Security dialog box, under Permissions, select ‘Enable Account’ and ‘Remote Enable’ for the user account.
  • Ensure the permissions propagate to all subnamespaces.
    • Under Security, Click Advanced and double click user/group to open properties
    • Select ‘This namespaces and subnamespaces’ to propagate permissions

Permission Settings

Tagged: , , ,

  • GPickles

    Hi. Thank you for this! I too was pulling my hair out. One variation I found that makes this process a bit easier is to replace the Configure DCOM section with simply adding the users/groups to the server’s local Distributed COM Users group. That plus the WMI security settings you outlined did the trick for me. Thanks again!

  • Anjali Rajeev

    Hi, I can’t access remote machine whose user is not Administrator. Please help

    C:UsersAdministrator>wmic /node:192.168.2.215 cpu get loadpercentage
    Node – 192.168.2.215
    ERROR:
    Description = Access is denied.