Re: W2K/WMI service (WinMgmt.exe) accessing an ODBC connection

From: Anthony LaMark (anthony_at_eXcSoftware.com)
Date: 08/17/04 

Date: Tue, 17 Aug 2004 07:09:42 -0700

Hi,

Thank you for these suggestions:

Solution 1 would cause a lot of "development" reworking so for now I would
like to pursue your second solution.

The problem I have now is in modifying the ODBC connection. The ODBC
configuration dialog allows me to select either:
"With Windows NT authentication using the network login ID" or
"With SQL Server authentication using a longin ID and password entered by
the user"

If I use "With Windows NT authentication using the network login ID", how
can I get the ODBC to use the computers security principal since the ODBC
configuration dialog does not allow me to specify the user? Given that,
won't the ODBC connection use the LocalSystem account since that is what WMI
is running as [i.e. the original problem?

If I use "With SQL Server authentication using a login ID and password
entered by the user", how can I (doing the ODBC connection configuration)
and the SQL sys. admin (specifying the computer principal as a valid user
for the database instance) know the password of the computers security
principal?

Thanks in advance.

"Ivan Brugiolo [MSFT]" <ivanbrug@online.microsoft.com> wrote in message
news:u4Ohi76gEHA.384@TK2MSFTNGP10.phx.gbl...
> WinMmgt was never tested in a different than LocalSystem account,
> and, your mileage in running it as a different account can vary.
> [BTW, in Win2000-SP4, the ability to run the WinMmgt.exe process
> as a standalone DCOM server has been remoevd to avoid these problems].
>
> For your problem, there are conceptually 2 solutions:
> - make the Event-Provider a standalone provider,
> and run that standalone DCOM component in a service (already suggested).
> - enable Mixed-Mode or Windows Authentication in the SQL server,
> be sure you have a Kerberos authentication infrastrucutre in place,
> and use the machine account (MachineName$)
> as the account who performs the query.
>
> Starting Win2000, the machine accounts are security principals,
> and they can be trated as such.
>
> --
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> Use of any included script samples are subject to the terms specified at
> http://www.microsoft.com/info/cpyright.htm
>
>
> "Anthony LaMark" <anthony@eXcSoftware.com> wrote in message
> news:eT0MZqZgEHA.596@TK2MSFTNGP11.phx.gbl...
> > Hi All,
> >
> > I have a WMI Event Provider (hosted by WinMgmt since it is on Windows
> 2000)
> > which spawns another process (cmd.exe which invokes cscript.exe [i.e. a
> > JScript]). This spawned process needs to open an ODBC connection to a
SQL
> > server on another computer in the network. WMI is currently running as
> > (i.e. "Log on As") LocalSystem (again this is W2K). I tried to change
the
> > "Log on As" to a local system account that has the proper priviledges to
> the
> > ODBC connection. I verified that this account had the "Log on as a
> service"
> > local policy. When I try to start WMI using the new account though it
> fails
> > to start. The event log did not offer any clues. Does any one have any
> > thoughts on:
> > 1. What might be making WMI fail to start when it is changed from
> > LocalSystem to another user account (do I need to change something in
> > dcomcfg?)
> > 2. If WMI has any dependency services and if so, do they need to be
> changed
> > to the other user account as well?
> > 3. What security auditing can I enable to troubleshoot this type of
> > problem?
> >
> > Thanks in advance,
> >
> > Anthony LaMark
> > eXc Software
> >
> >
>
>

Relevant Pages

  • Re: W2K/WMI service (WinMgmt.exe) accessing an ODBC connection
    ... The problem I have now is in modifying the ODBC connection. ... "With SQL Server authentication using a longin ID and password entered by ... won't the ODBC connection use the LocalSystem account since that is what WMI ... > Starting Win2000, the machine accounts are security principals, ...
    (microsoft.public.windows.server.security)
  • Re: W2K/WMI service (WinMgmt.exe) accessing an ODBC connection
    ... If you have a manchine called anthony-devbox, ... and that machine has an account in the Directory Serivces, ... and, each one of them, in order to recreate the identity of the security ... The ODBC connection can be configured to use the current-executing-code ...
    (microsoft.public.win32.programmer.wmi)
  • Re: W2K/WMI service (WinMgmt.exe) accessing an ODBC connection
    ... If you have a manchine called anthony-devbox, ... and that machine has an account in the Directory Serivces, ... and, each one of them, in order to recreate the identity of the security ... The ODBC connection can be configured to use the current-executing-code ...
    (microsoft.public.windows.server.security)
  • Re: Connexion to SSIS
    ... A way to verify it the account in question to the local admins and try ... If you do not want to, can use proxy accounts. ... only SQL Server authentication and use it to connect my remote client to the ... SQLServer Account by SQL Server Authentication? ...
    (microsoft.public.sqlserver.dts)
  • RE: DTS Package fails when Scheduled
    ... Make sure the ODBC connection is a system DSN source (for every account to ... as the DTS scheduled job ...
    (microsoft.public.sqlserver.dts)
Loading