Huge WMI / DCOM / Security problem..

J

Jonas Haggren

I have got into a huge WMI / DCOM / Security problem.

The WMI is not working becouse of i get "access Denied".

I have trying to reset the WMI by deleteing the repository, But the
repository directory is not recreating
Trying to register all the .dll and .exe files again in the wbem
direcotory, - No luck
and trying to reinstalling the WMI - No luck there eather (followed this
http://windowsxp.mvps.org/repairwmi.htm)

Then i run Gpresults or rsop i get "Access Denied, Unknown username or
password", Even then i am logged in as Domain Admin

rsop.msc giving me "Access Denied"

The errors i get in the event Log is these:

Event ID: 1090 Source Userenv
Trying to connet to WMI failed

Event Source: WinMgmt
Event ID: 60
The description for Event ID ( 60 ) in Source ( WinMgmt ) could not be
found. It contains the following insertion string(s): 0x80041001.

Event Source: WinMgmt
Event ID: 43
The description for Event ID ( 43 ) in Source ( WinMgmt ) could not be
found. It contains the following insertion string(s): \\.\root\cimv2,
0x80070005.

Event Source: MRxSmb
Event ID: 3019

Then i go to My Computer > manage > WmiControll and right click and choose
properties, i get "Connecting to WMI" for forever (or at least 1 hour) then
i press cancel i get this error "Can't connect to <local Computer>,
Win32:Access Denied

I get this error on almost every computer in the domain, is it becouse of a
faulty Group Policy settings or because of something i installed from
microsoft *grin* ??

On computers there the WMI are working i can't connect to another computers
WMI, Getting that everlasting timeout. :(..

Need help with this, Becouse everything depending on wmi looks like it's not
working.. :(

Jonas Haggren
Sys Mgr.
 
J

Jonas Haggren

Hi thanks for the answers.. I will answer your questions / suggestions
below..

/Jonas

Jason Tan (MSFT) said:
Dear Jonas,

Thanks for posting!

I understand that you received WMI access deniel error. If I have
misunderstood your concerns please feel free to let me know.

Before we go further please help to confirm the following information.

1. What happened before the issue occured?
Don't know, i payed attention to the problem, then i was trying to install
the SMS clients on the computers.
2. Are you using Windows 2K domain or Windows 2K3 domain? Are you using
Windows XP clients in the domain?

Windows 2K3 and Windows XP Clients
3. Do all the Windows XP Clinets experience the issue?

Yes, More or less. But all have problems with WMI.
I suggest you perform the following methods

Suggestion 1. Update DCs and clients to the latest version.

They are all updated. (Maybe to much, do you know any issues with the latest
SP and quickfixes?
Suggestion 2. It could be that there is a problem with WMI on the machine.
You can try recreating some of the WMI files using the steps below:

1 Stop the Windows Management Instrumentation service.
2 Go to the %SystemRoot%\System32\Wbem\Repository folder.
3. Delete all of the files that are in the
%SystemRoot%\System32\Wbem\Repository folder.
4 Restart the computer. The files that were deleted are recreated when the
computer restarts.
The Windows Management Instrumentation service will start automatically
when you restart the computer".

More information for your reference:

875605 How to troubleshoot WMI-related issues in Windows XP SP2
<http://support.microsoft.com/default.aspx?scid=kb;EN-US;875605>

The repository are NOT RECREATING, the folder is still empty after
restarting the computer..
I don't get anything in the Eventlog eather about the problem. The events i
get is these:

Event Type: Warning
Event Source: MRxSmb
Event Category: None
Event ID: 3019
Date: 2006-02-15
Time: 11:25:07
User: N/A
Computer: PC770
Description:
Omdirigeraren kan inte avgöra vilken typ av anslutning det är.

Event Type: Warning
Event Source: Dhcp
Event Category: None
Event ID: 1003
Date: 2006-02-15
Time: 11:24:37
User: N/A
Computer: PC770
Description:
Datorn kunde inte förnya adressen från nätverket (från DHCP-servern) för
nätverkskortet med nätverksadressen 00123F2B3311. Följande fel uppstod:
Åtgärden avbröts av användaren. Datorn kommer att fortsätta försöka erhålla
en ny adress själv från DHCP-servern.

Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1090
Date: 2006-02-15
Time: 11:25:07
User: SYSTEM
Computer: PC770
Description:
Det gick inte att logga sessionsstatus för Gällande principuppsättning. Ett
försök att ansluta till WMI misslyckades. Ingen mer loggning för Gällande
principuppsättning kommer att göras den här gången principen tillämpas.

Event Type: Audit Failure
Event Source: Security
Event Category: Detaljerad spårning
Event ID: 861
Date: 2006-02-13
Time: 18:29:05
User: SYSTEM
Computer: PC770
Description:
Windows-brandväggen upptäckte att ett program lyssnar efter inkommande
trafik.

Namn: -
Sökväg: C:\WINDOWS\system32\lsass.exe
Processidentifierare: 712
Användarens konto: SYSTEM
Användarens domän: NT INSTANS
Tjänst: Ja
RPC-server: Nej
IP-version: IPv4
IP-protokoll: UDP
Portnummer: 1208
Tilläts: Nej
Användaren meddelades: Nej

I just noticed that the Windows Firewall on the Client is broken somehow,
(It is shutdown but the Service is running), if i go to the Control Panel >
Windows Firewall > Advanced, it tells me that the Network is broken, and i
can fix it with pushing the button "Default Settings", But it does not help
to push that button..

Something seems to be awfully wrong.. And it seems to come from a faulty GP
somewhere that brakes every computer..

Needing more help to find the
/Jonas
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top