What is the workaround for WMI remote connection failure with Access Denied error when client runs with Local System account?

3

What is the workaround for WMI remote connection failure with Access Denied error when client runs with Local System account?

I tried to run script under local system account on the client which connects to remote WMI (namespace: root\cimv2) using local administrator credentials of remote machine. But WMI connection failed with the following error. The remote server has firewall enabled and client has firewall disabled. Both client and remote server has windows 2012 R2 OS.

Access is denied.

Win32::OLE(0.1709) error 0x80070005: "Access is denied"

What could be the reason for this error? The same script worked when ran from another client machine.

windows
networking
security
wmi
asked on Server Fault Jun 22, 2014 by user23996

2 Answers

7

http://msdn.microsoft.com/en-us/library/aa826699(v=vs.85).aspx

refer to above link.

solution: To solve the problem, UAC filtering for local accounts must be disabled by creating the following DWORD registry entry and setting its value to 1:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System] LocalAccountTokenFilterPolicy

reason: "In a workgroup, the account connecting to the remote computer is a local user on that computer. Even if the account is in the Administrators group, UAC filtering means that a script runs as a standard user"

answered on Server Fault Jul 16, 2014 by Alan Lau • edited Jul 16, 2014 by Alan Lau
1

When you get an Access is denied. [0x00000005] error, apply the following patch to the registry:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
  • create or modify 32-bit DWORD: LocalAccountTokenFilterPolicy
  • set the value to: 1

Windows Server 2012 (64bit) To connect to Windows Server 2012, Change Permission for following registry key to Full Control:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID{72C24DD5-D70A-438B-8A42-98424B88AFB8}
  • HKEY_CLASSES_ROOT\CLSID{76A64158-CB41-11D1-8B02-00600806D9B6}

    1. Launch regedit (as Administrator)
    2. Find (Ctrl+F) the following registry key: {72C24DD5-D70A-438B-8A42-98424B88AFB8} in HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\
    3. Right click and select 'Permissions'
    4. Change owner to administrators group (Advanced...).
    5. Change permissions for administrators group. Grant Full Control.
    6. Change owner back to TrustedInstaller (user is NT Service\TrustedInstaller on local machine)
    7. Repeat the steps 1-6 for HKEY_CLASSES_ROOT\CLSID{76A64158-CB41-11D1-8B02-00600806D9B6}
    8. Restart Remote Registry Service (Administrative Tools / Services) If the service is not starting (both from Jenkins or manually), check that you have the .NET Framework 3.5 SP1 installed.

Follow these steps if you encounter errors during the installation of the Framework: https://stackoverflow.com/questions/14192244/offline-installer-for-net-3-5-sp1-not-working

answered on Server Fault Jul 6, 2015 by akash vekhande • edited Jul 6, 2015 by sebix

User contributions licensed under CC BY-SA 3.0