New-NlbCluster Access denied

This is a question and answer at the same time that I want to share to the community because google search "New-NlbCluster : Access denied" did not bring any results.

Problem:

Starting from 15 Apr 2017, the powershell commandlet New-NlbCluster started to give an error message: "New-NlbCluster : Access denied" in our lab test environment that tests installation and configuration of software that includes also creation of a new NLB cluster. The command did not work with local administrator account either. The creation of new NLB cluster worked fine by using the interactive GUI (Network Load Balancing).

Here is the exact command (but slightly masked) that failed:

Import-Module NetworkLoadBalancingClusters
try
{
   New-NlbCluster -ErrorAction:Stop -InterfaceName "Xxxxx" -ClusterPrimaryIP "172.17.2.74" -SubnetMask "255.255.255.0" -HostName XX-XX-XX-R1 -ClusterName "xx-xx-xx-r-p.xxxxxxxxxx.xx.xxx.com" -OperationMode multicast
}
catch
{
   echo $_.Exception | format-list -force
}
ErrorInformation : System.Management.ManagementBaseObject
ErrorCode        : AccessDenied
Message          : Access denied
Data             : {}
InnerException   :
TargetSite       : Void ThrowWithExtendedInfo(System.Management.ManagementStatus)
StackTrace       :    at System.Management.ManagementException.ThrowWithExtendedInfo(ManagementStatus errorCode)
                      at System.Management.ManagementObject.InvokeMethod(String methodName, ManagementBaseObject inParameters, InvokeMethodOptions options)
                      at Microsoft.NetworkLoadBalancingClusters.PowerShell.WMIHelper.SynchUpdateClusterConfigurationEx(String host, String adaptor, ManagementB
                   aseObject inParams)
                      at Microsoft.NetworkLoadBalancingClusters.PowerShell.NewNlbCluster.NlbProcessRecord()
                      at Microsoft.NetworkLoadBalancingClusters.PowerShell.NlbPSCmdlet.ProcessRecord()
                      at System.Management.Automation.CommandProcessor.ProcessRecord()
HelpLink         :
Source           : System.Management
HResult          : -2146233087

On 8 Apr 2017 it still worked. Possibly some Windows update triggered the error (there were 7 windows updates between). The same error occurred in all our test systems (total 4 of them), including Windows 2008 R2 and Windows 2012 R2 versions. All computers belong to the same lab domain.

I also tested it in a standalone virtual machine that does not belong to a domain and there the command worked, even with latest windows updates. Our lab domain should not have any policy changes made so I wonder what could cause this.

I troubleshooted the problem quite a while. I defined security logging for WMI activity but the security log only displayed success messages for all operations. However, the WMI activity debug tracing (see https://blogs.technet.microsoft.com/askperf/2008/03/04/wmi-debug-logging/) was able to display the error: Start IWbemServices::ExecMethod - root\MicrosoftNLB : NlbsNic::UpdateClusterConfigurationEx 0x80041003 However, this did not reveal any details what caused the access violation. From c:\Program Files (x86)\Microsoft SDKs\Windows\v7.1A\Include\WbemCli.h we see that WBEM_E_ACCESS_DENIED = 0x80041003

Workaround:

I changed the script to run the command as SYSTEM user account instead and this helped. (Running the command under SYSTEM account can be done for example by defining a Windows Scheduled Task but I created a temporary service to run the command).

What wonders me even further is that I wrote a C++ program for creating the NLB cluster (by using WMI). This C++ program suffered the same Access Denied error even in the standalone computer, but the same workaround helped, i.e. by running under SYSTEM account the NLB cluster was successfully created.