I just did a clean install of Windows Server 2008 R2 (x64). I have an application that talks to the server using Remote DCOM communication and queries some WMI objects.
All is good while I use the Administrator login to do the WMI comm.
It just doesn't seem to work when I add a new user in Administrator Group (by selecting the user to be Admin in the new user creation GUI). I have provided the DCOM remote access permissions to the user (using http://jintegra.intrinsyc.com/support/com/doc/remoteaccess.html), and WMI access permissions as well (using http://www.poweradmin.com/help/enableWMI.aspx).
I have also found the renegade registry key on Server 2008 R2 and made the newly created user the owner and granted all rights (using http://www.opennms.org/wiki/WmiConfiguration#Windows_2008_R2).
Even then, when I try to connect, I cannot go through all the way. I know this because I looked at the windows security logs and I could see a successful Credential Validation, Special Logon and Logon events.
But, I am just unable to proceed further. I get the error, could not connect to the host and then I get logged off (found from the security logs).
I don't even know which service is not allowing me access. Has someone dealt with this issue before? If you have a quick answer, that would be great, otherwise, please tell me how to read the security logs or some other log properly to find out which service is denying me access.
Also, all 3 firewalls, Domain/Public/Private are turned off.
Thanks very much!!
Best Answer
You may also need to set the ACL's for the object you are trying to query. See http://msdn.microsoft.com/en-us/library/aa374872%28v=vs.85%29.aspx
I've had to do this in the past for access to MS services, event logs, etc.
EDIT:
In a nutshell, you may need to set ACL's for the WMI objects you are trying to access, using an administrative account, before you can access them via an unprivileged account.
This is how I set it up in our environment:
Configure DCOM
Configure WMI
Much of the above can be done (automated) using group policies.
Now to set the ACL's for services you can do something like:
... to get the the ACL for the service manager. This will take care of access to most windows services. You'll then want to add an ACL for the user account from above which will look something like the following:
... where the bold part is the UID of the user account making the request.
Event logs work a bit differently but you can use 'wevtutil' to set ACL's on them. Other objects may have different ways to set them as well.
Troubleshoot incrementally, first get queries working locally with your user account, then get them working remotely.