User rigths for WMI access

Scott McNairy (MVP) wrote:

> See this link, however to help further a WMI class name would be helpful and
> any relevant source code you can provide as well. Often times these issues
> are client permissions related, so even if a client has access to a
> namespace additional permissions may be required, having the class name that
> the user is having trouble with will help us narrow it down.
>
> http://www.microsoft.com/technet/scr...ifaq.mspx#EFAA
>
> Thanks
>

Thank you for your answer, we have checked the link you gave us in your
response, and we are now sure we have already correctly configured
namespace permissions.

Our application performs querys to operating system classes (such as
win32_process, win32_service, win32_operatingsystem,
win32_computersystem, and some more) and performance classes (such as
win32_perfrawdata_perfos_processor, win32_perfrawdata_perfos_memory,
win32_perfrawdata_perfproc_process), all in root/cimv2 namespace.

We know a "local administrator" user can perform these queries, but we
don't like to use administator due to security risks. We have searched
in internet and we have not found any information that permits us to
create a harmless user with enough permissions to perform these queries.

Anytime we have detected an "Access denied" error with our application
we have tried the same WMI query using wbemtest.exe and both
applications have the same behabiour (access denied), so we understand
there is not a problem with our application but a problem with user rights.

Thanks

Scott McNairy (MVP) wrote:

> See this link, however to help further a WMI class name would be helpful and
> any relevant source code you can provide as well. Often times these issues
> are client permissions related, so even if a client has access to a
> namespace additional permissions may be required, having the class name that
> the user is having trouble with will help us narrow it down.
>
> http://www.microsoft.com/technet/scr...ifaq.mspx#EFAA
>
> Thanks
>

Thank you for your answer, we have checked the link you gave us in your
response, and we are now sure we have already correctly configured
namespace permissions.

Our application performs querys to operating system classes (such as
win32_process, win32_service, win32_operatingsystem,
win32_computersystem, and some more) and performance classes (such as
win32_perfrawdata_perfos_processor, win32_perfrawdata_perfos_memory,
win32_perfrawdata_perfproc_process), all in root/cimv2 namespace.

We know a "local administrator" user can perform these queries, but we
don't like to use administator due to security risks. We have searched
in internet and we have not found any information that permits us to
create a harmless user with enough permissions to perform these queries.

Anytime we have detected an "Access denied" error with our application
we have tried the same WMI query using wbemtest.exe and both
applications have the same behabiour (access denied), so we understand
there is not a problem with our application but a problem with user rights.

Thanks

Your user account should only require "Remote Enable" and "Enable Account"
security settings on the namespace to be able to read data, you can verify
these settings in winmgmt.msc.

Can you post the section of code where you do the connection to the
root\cimv2 namespace? Sometimes a common error that causes this problem is
specifying the user name without the domain\user format or the computer\user
format, sometimes users just specify the "user" and this error can result.

--
Scott McNairy
Microsoft MVP - Windows Server Management Infrastructure


"tango" <tango@newsgroup.nospam> wrote in message
news:425CCF9B.8000207@newsgroup.nospam...

> Scott McNairy (MVP) wrote:

>> See this link, however to help further a WMI class name would be helpful
>> and any relevant source code you can provide as well. Often times these
>> issues are client permissions related, so even if a client has access to
>> a namespace additional permissions may be required, having the class name
>> that the user is having trouble with will help us narrow it down.
>>
>> http://www.microsoft.com/technet/scr...ifaq.mspx#EFAA
>>
>> Thanks
>>

>
> Thank you for your answer, we have checked the link you gave us in your
> response, and we are now sure we have already correctly configured
> namespace permissions.
>
> Our application performs querys to operating system classes (such as
> win32_process, win32_service, win32_operatingsystem, win32_computersystem,
> and some more) and performance classes (such as
> win32_perfrawdata_perfos_processor, win32_perfrawdata_perfos_memory,
> win32_perfrawdata_perfproc_process), all in root/cimv2 namespace.
>
> We know a "local administrator" user can perform these queries, but we
> don't like to use administator due to security risks. We have searched in
> internet and we have not found any information that permits us to create a
> harmless user with enough permissions to perform these queries.
>
> Anytime we have detected an "Access denied" error with our application we
> have tried the same WMI query using wbemtest.exe and both applications
> have the same behabiour (access denied), so we understand there is not a
> problem with our application but a problem with user rights.
>
> Thanks

Scott McNairy (MVP) wrote:

> Your user account should only require "Remote Enable" and "Enable Account"
> security settings on the namespace to be able to read data, you can verify
> these settings in winmgmt.msc.
>
> Can you post the section of code where you do the connection to the
> root\cimv2 namespace? Sometimes a common error that causes this problem is
> specifying the user name without the domain\user format or the computer\user
> format, sometimes users just specify the "user" and this error can result.
>

Hi,

We had already configured root\cimv2 namespace with "remote enable",
"enable account". This configuration is enough in some systems to
retrieve all the information we are interested on. But we have problems
in on Windows 2003 system retrieving performance information, but
queries to win32_process, win32_service and win32_operatingsystem work
properly.

In one of our customers headquarters, we have detected the oposite
problem: performance classes work correctly while win32_logicaldisk,
win32_process and win32_service don't work.

We have tried wbemtest and in all cases we get the same results (when
the WMI query works/fails the behaviour is the same with our application
and with wbemtest). The error code we get is always the same: 80041003
(access denied). We always use a non administrative domain user.
Everything start working correctly when we change to any user in domain
admin group. Is there any security policy that can be responsible of
this behaviour?

Perhaps this text found in Framework.log while performing a query that
returns the "access denied" code explains what is happening but we
haven't found anything usefull in Internet about it...

Shell Name Explorer.exe in Registry not found in process list.
04/19/2005 16:13:06.044 thread:3156
[d:\srv03rtm\admin\wmi\wbem\providers\win32provider \common\implogonuser.cpp.156]
Unable to locate Shell Process, Impersonation failed. 04/19/2005
16:13:06.044 thread:3156
[d:\srv03rtm\admin\wmi\wbem\providers\win32provider \common\implogonuser.cpp.168]

Thank you

Can I ask you what specifically you are doing with the Win32_Process,
Win32_LogicalDisk, and Win32_Service classes when this error occurs? Client
side code samples would be nice, or at least some information about what
specifically you are doing with the classes. Puts, or delete operations
etc. Or just read operations.

As for the perf problem, try to do a "winmgmt.exe /resyncperf" on the
command line of the troubling machine and see if that helps fix the problem.

--
Scott McNairy
Microsoft MVP - Windows Server Management Infrastructure


"tango" <tango@newsgroup.nospam> wrote in message
news:42652AB7.80004@newsgroup.nospam...

> Scott McNairy (MVP) wrote:

>> Your user account should only require "Remote Enable" and "Enable
>> Account" security settings on the namespace to be able to read data, you
>> can verify these settings in winmgmt.msc.
>>
>> Can you post the section of code where you do the connection to the
>> root\cimv2 namespace? Sometimes a common error that causes this problem
>> is specifying the user name without the domain\user format or the
>> computer\user format, sometimes users just specify the "user" and this
>> error can result.
>>

> Hi,
>
> We had already configured root\cimv2 namespace with "remote enable",
> "enable account". This configuration is enough in some systems to retrieve
> all the information we are interested on. But we have problems in on
> Windows 2003 system retrieving performance information, but queries to
> win32_process, win32_service and win32_operatingsystem work properly.
>
> In one of our customers headquarters, we have detected the oposite
> problem: performance classes work correctly while win32_logicaldisk,
> win32_process and win32_service don't work.
>
> We have tried wbemtest and in all cases we get the same results (when the
> WMI query works/fails the behaviour is the same with our application and
> with wbemtest). The error code we get is always the same: 80041003 (access
> denied). We always use a non administrative domain user. Everything start
> working correctly when we change to any user in domain admin group. Is
> there any security policy that can be responsible of this behaviour?
>
> Perhaps this text found in Framework.log while performing a query that
> returns the "access denied" code explains what is happening but we haven't
> found anything usefull in Internet about it...
>
> Shell Name Explorer.exe in Registry not found in process list. 04/19/2005
> 16:13:06.044 thread:3156
> [d:\srv03rtm\admin\wmi\wbem\providers\win32provider \common\implogonuser.cpp.156]
> Unable to locate Shell Process, Impersonation failed. 04/19/2005
> 16:13:06.044 thread:3156
> [d:\srv03rtm\admin\wmi\wbem\providers\win32provider \common\implogonuser.cpp.168]
>
> Thank you

Hi,

Sorry for not responding in such a long time, we have been working hard ...
It seems that we have fixed the problem. What was confusing to us was
the different behaviour of the same configuration on different systems.

The privileges you told us to activate (remote enable and enable
account) works in our PCs only on Windows 2000, Windows XP SP1 and
Windows 2003 without any service pack installed. In later versions (XP
SP2 and 2003 SP1) every time we tried to connect using a non
administrative user profile the query failed with access denied
(0x80070005) error.

This error code points that the user can not use the provider on remote
system (this error belongs to DCOM). By using dcomcnfg.exe we have been
able to give the user access and launch rights by default to any DCOM
application (these privileges can be given only to Windows Management
Instrumentation to reduce security risks).

Thanks for your help


Scott McNairy (MVP) wrote:

> Can I ask you what specifically you are doing with the Win32_Process,
> Win32_LogicalDisk, and Win32_Service classes when this error occurs? Client
> side code samples would be nice, or at least some information about what
> specifically you are doing with the classes. Puts, or delete operations
> etc. Or just read operations.
>
> As for the perf problem, try to do a "winmgmt.exe /resyncperf" on the
> command line of the troubling machine and see if that helps fix the problem.
>