Adrian,
I'm a bit surprised that the Everyone ACE was not in the ACL list of the WMI namespace-level security on the domain workstation(s). By default Everyone should be included with Enable Account, Execute Methods, and Provider Write on the local computer granted. What OS are they running? Is it possible that ACE was removed during system install?
Note that "Remote enable" permission must be granted if you want the group to execute WMI remotely , which I would not recommend for security reasons, remote WMI access should only be granted to administrators (which do have this privilege enabled by default) or to a separate group (say "helpdesk"). I don't think you can apply namespace security through a GPO, but I could be wrong, you may get better answers when you post to the WMI NG instead.
Willy.
1. The security log on the workstation shows nothing.
2. set up a share on the child domain server, and gave it default 'read'. I could see it and share it from the parent domain, no problem.
3. On the child domain workstation I ran computer man->Services and Controls->WMI Management locally and opened up root\cimv2 to everyone
It worked ! Thaaks for the WMI Managment tip!
However local changes are taboo. Is there some group policy where I can enable WMI for the whole child domain to to a parent domain user/group?
And thanks for giving so much of your time. I hope this chain will be helpful to others.
Adrian
Ok, transitive trusts in an AD domain are two way by default, I would suggest you to check the security log on the remote box, you also need to check the WMI security privileges.
What happens when you try to access a share on the same remote server?
Willy.
They are Windows 2003 domains with their own domain controllers. bb is a child domain of aa.
AD domains and trusts shows:
--aa.local
----bb.aa.local
Properties for aa.local->trusts
Domain Name Trust Transitive
bb.aa.local Child YES
??
thanks, Adrian
Are the two domains Windows domains? that is, do they have their own domain controller? What snap-in are you talking about?
Willy.
Willy,
I thought that as I created bb as a sub domain of aa (bb shows up as a sub tree item from aa in the SnapIns), a trust would be set up automatically. Do you have to set the trust manually and if so how?
Thanks, Adrian
Ok, I see you were talking about IP domains.
Now, windows uses Netbios names to acess the remote windows resources, but this is no issue, Wins takes care of that.
What's important here is to know whether the remote systems are part of the same" Windows" domain or part of a domain with a two way trust with the client's domain. If there is no trust and both client and server belong to different Windows domains, you won't be able to authenticate the client, and the resource (here the WMI service) will be accessed as "anonymous", which has no access privileges, hence the "access denied". One solution is to create a trust between the Windows domains, another is to specify explicit credentials when connecting (see System.Management.ConnectionOptions).
Willy.
Willy,
Here's more data, I have a Console app that gets WMI serial number thus:
GetSerialNo \\xp1.aa.local\root\cimv2
= SUCCESS
GetSerialNo \\xp10.bb.aa.local\root\cimv2
= (Access denied)
bb is a sub domain of aa. I wish to get WMI data centrally, running the console app on aa, but the report serial numbers of computers on bb.
Is there a particular right for WMI to work from aa across to bb ?
thanks in advance, ADrian
There are domains and trusted domains, what do you call a subdomain?
Anyway, your problem is due to a lack of access rights to the remote system, that is, the identity used to connect to the remote system is unknown or has no access to the WMI namespace you are connecting with.
Willy.
Hi,
I have succesfully used a ManagementScope object to get WMI information about workstations on the current domain using "//xp10/root/cimv1". But if I make a request to a workstation on a sub-domain, the command fails to connect with "Access denied".
Do I need to alter the string somehow to include the sub domain name or could this be a rights issue ?
Thanks in advance, Adrian
