RE: Access Denied when running RSoP

Tech-Archive recommends: Fix windows errors by optimizing your registry

Thank you for your thorough follow-up.

Regarding your double-check: Yes, I can run RSOP locally on the SBS server
itself, selecting “This computer” or typing in the name of the server.
It’s also possible to run RSOP on an XP PC to any other PC in the domain,
even to a Windows 2003 Terminal Server, but not to the SBS Server (again
“access denied”). The SBS Server itself can only RSOP itself, not other PCs
or servers.

I did the checks you asked for:

1. Remote registry is running on all machines

2.1 The WMI property pages appear OK, the versions are correct on both the
XP machine and the SBS Server

2.2 Trying to connect from the SBS Server to the PC: Failed to connect to
\\pc-name, because: “Win32: Access is denied”. Trying to connect from the PC
to the SBS Server (with or without changing user credentials to
administrator): keeps displaying the message “Connecting to WMI”, after
cancelling: the same Access Denied message.
Trying to connect from my PC to another PC: works fine!

3.1 Default Launch permissions are OK on both machines. Default Access
Permissions as well, however the SYSTEM account has no “Remote Access”
privileges. Have tried it with this privilege enabled, no result. Deleted the
DefaultAccessPermission key, the default seems to be that SYSTEM does not
need this “Remote Access” privilege. In the Default Launch Permissions the
users INTERACTIVE and SYSTEM do not have the Remote Launch and Remote
Activation privileges on SBS, where they do have these privileges on the XP
machine. Tries to switch them on, no result. I looked also on the Default
Properties pages on both machines. On SBS the “Enable Distributed COM on this
computer” was off, on the XP machine it’s on. Enabled the option on SBS,
still no result.

3.2 All default WMI DCOM settings are ok.

I’m already out of options for a long time, hope you are not…..

Regards,

Ad.

Thank you for your thorough

""Brandy Nee [MSFT]"" wrote:

> Dear Customer,
>
> Thank you for posting back!
>
> I need to double check: Can you run RSOP on SBS Server? I mean when you
> running the Group Policy Results Wizard, if you select "This computer"
> (i.e. SBS Server), will you reproduce the issue?
>
> I have performed a lot of research on this issue and discussed with
> colleagues. Based on my research, this issue can be caused by WMI, DCOM and
> Remote Registry. So please take your time to check these settings on
> problematic computers.
>
> 1> Check whether the Remote Registry service is stopped. Please start the
> Remote Registry service and check the issue again. To do so, follow the
> steps below:
>
> A. Click Start -> Run, type "services.msc", and then press Enter.
> B. Double-click Remote Registry.
> C. On the General tab, click Start.
> D. Select "Automatic" in the Startup type box.
> E. Click OK.
>
> 2> Test WMI (Windows Management Instrumentation).
>
> 1. Testing Local WMI Service.
>
> a. Click Start, click Run, type wmimgmt.msc, and then click OK.
> b. Right-click WMI Control (Local), and then click Properties.
> c. If the WMI service is configured correctly, the WMI Control will connect
> to WMI and display the Properties dialog box. On the General tab, you
> should see information about the operating system and the version of WMI.
>
> Starting with Microsoft Windows XP, the version of WMI should match the
> build version of the operating system. For example, in Windows XP, the WMI
> version is "2600.0000," and in Microsoft Windows Server 2003, the WMI
> version is "3790.000." The version of WMI in Microsoft Windows 2000 is
> "1085.0005." In versions of Windows earlier than Windows 2000, WMI was an
> installable component. The two most common distributions were v1.1 (build
> 698) and v1.5 (build 1085).
>
> 2. Testing Remote WMI Service.
>
> a. Click Start, click Run, type wmimgmt.msc, and then click OK.
> b. Right-click WMI Control (Local), and then click Connect to another
> computer.
> c. Click Another computer, and then enter the name of the remote computer.
> d. If you have to provide user credentials, click Change.
> e. Click OK.
> f. Right-click WMI Control (remote system name), and then click Properties.
>
> If you cannot connect to WMI on a remote computer, the first thing to do is
> test the WMI service locally on both of the computers (local and remote).
>
> 3> Test DCOM.
>
> 1. Windows Management Instrumentation (WMI) is built on the DCOM. Any
> modifications to the default COM security can cause many problems. We use
> DCOMCNFG to verify that the default COM security settings are configured
> correctly. To do so,
>
> In Windows XP and Windows Server 2003:
>
> a. Click Start, click Run, type dcomcnfg, and then click OK.
> b. Expand the Component Services node.
> c. Expand the Computers node.
> d. Right-click the My Computer node, and then click Properties.
> e. Click the [Default] COM Security tab.
> f. Under Default Launch Permissions, make sure that at least INTERACTIVE,
> SYSTEM, and Administrators are set to Allow Launch.
> g. Make sure that the Default Access Permissions lists only the following
> accounts.
>
> Windows XP SP2 and Windows Server 2003: SELF, and SYSTEM.
>
> h. If these Access Permissions settings have been modified, make sure that
> at least INTERACTIVE, SYSTEM, and Administrators have been explicitly
> granted Access Permission. Alternatively, you can export (for backup) and
> then delete the following registry key to restore the original default
> values:
>
> HKLM\SOFTWARE\Microsoft\Ole\DefaultAccessPermission
>
> 2. Default WMI DCOM Settings:
>
> In Windows XP and Windows Server 2003:
>
> a. Click Start, click Run, type dcomcnfg, and then click OK.
> b. Expand the Component Services node.
> c. Expand the Computers node.
> d. Expand the My Computer node.
> e. Expand the DCOM Config node.
> f. Right-click Windows Management [and] Instrumentation, and then click
> Properties.
> g. The following are some of the settings that you should verify:
>
> For Windows XP and Windows Server 2003:
>
> Authentication Level: Default
> Launch Permissions: Everyone
> Access Permissions: Use Default
>
> Please take your time to perform the steps. If you have any updates, please
> feel free to let me know. I am looking forward to hearing from you!
>
> Best regards,
>
> Brandy Nee
>
> Microsoft CSS Online Newsgroup Support
>
> Get Secure! - www.microsoft.com/security
> ======================================================
> This newsgroup only focuses on SBS technical issues. If you have issues
> regarding other Microsoft products, you'd better post in the corresponding
> newsgroups so that they can be resolved in an efficient and timely manner.
> You can locate the newsgroup here:
> http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
>
> When opening a new thread via the web interface, we recommend you check the
> "Notify me of replies" box to receive e-mail notifications when there are
> any updates in your thread. When responding to posts via your newsreader,
> please "Reply to Group" so that others may learn and benefit from your
> issue.
>
> Microsoft engineers can only focus on one issue per thread. Although we
> provide other information for your reference, we recommend you post
> different incidents in different threads to keep the thread clean. In doing
> so, it will ensure your issues are resolved in a timely manner.
>
> For urgent issues, you may want to contact Microsoft CSS directly. Please
> check http://support.microsoft.com for regional support phone numbers.
>
> Any input or comments in this thread are highly appreciated.
> ======================================================
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>
>
> --------------------
> >Thread-Topic: Access Denied when running RSoP
> >thread-index: AcYRJh2DH1JC35hnTjyFUtLhaL7rNQ==
> >X-WBNR-Posting-Host: 83.117.209.47
> >From: "=?Utf-8?B?QWQgdmFuIGRlbiBCcm9law==?="
> <AdvandenBroek@xxxxxxxxxxxxxxxxxxxxxxxxx>
> >References: <3ACD6B4A-7ECF-4F08-8973-AA0F3BEA457A@xxxxxxxxxxxxx>
> <1mTNBdBEGHA.3592@xxxxxxxxxxxxxxxxxxxxx>
> <C2DA20FE-BD2B-44E1-BC9B-3736208E4A99@xxxxxxxxxxxxx>
> <RF2iDpREGHA.832@xxxxxxxxxxxxxxxxxxxxx>
> >Subject: RE: Access Denied when running RSoP
> >Date: Wed, 4 Jan 2006 03:58:02 -0800
> >Lines: 156
> >Message-ID: <5DE2DF1C-025D-4DD0-A1CA-AD28BF1C558A@xxxxxxxxxxxxx>
> >MIME-Version: 1.0
> >Content-Type: text/plain;
> > charset="Utf-8"
> >Content-Transfer-Encoding: 8bit
> >X-Newsreader: Microsoft CDO for Windows 2000
> >Content-Class: urn:content-classes:message
> >Importance: normal
> >Priority: normal
> >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
> >Newsgroups: microsoft.public.windows.server.sbs
> >NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
> >Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGXA03.phx.gbl
> >Xref: TK2MSFTNGXA02.phx.gbl microsoft.public.windows.server.sbs:233966
> >X-Tomcat-NG: microsoft.public.windows.server.sbs
> >
> >Hi Brandy,
> >
> >I made the changes you asked for. Most of the settings were correct,
> except
> >form the administrators access in DCOM. Because I did not understand if
> you
> >wnated me to make these changes on the server or on the PC, I applied them
> to
> >both. The result is still the same. There are no new errors in any
> eventlog.
> >I do have some DCOM errors on other times, but these do not seem to apply
> to
> >this issue.
> >
> >The launch and activation security descriptor for the COM Server
> application
> >with CLSID
> >{486DD18C-B031-4586-AAF1-C1A92C57E4CC}
> > is invalid. It contains Access Control Entries with permissions that are
> >invalid. The requested action was therefore not performed. This security
> >permission can be corrected using the Component Services administrative
> tool.
> >
> >I tracked this CLSID in the registry and found an entry under HKCR\AppId
> >which points the application narepl32, which is a part of the McAfee
> Common
> >Framework. This doen't seem to have anything to do with the problem....
> >
> >For the rest, the logs are "clean".
> >
> >Regards,
> >Ad.
> >
>
>
.

Relevant Pages

  • RE: Access Denied when running RSoP
    ... Can you run RSOP on SBS Server? ... 2> Test WMI. ... Starting with Microsoft Windows XP, the version of WMI should match the ...
    (microsoft.public.windows.server.sbs)
  • RE: BizTalk WMI performance issue
    ... If the servers are Windows 2003 SP1 or earlier, ... a look at the following WMI patches included in Windows 2003 SP2. ... WMI service on a Windows XP SP2-based computer or a Windows Server 2003 ... Microsoft Online Community Support ...
    (microsoft.public.biztalk.server)
  • RE: Printing from Win9x clients stops
    ... > printer on the windows 9x workstations. ... Please check whether the shared printer was installed windows 9x ... Go to the shared printer Properties on the SBS Server, ...
    (microsoft.public.windows.server.sbs)
  • Re: EBS2008: Frage zu Preparation Wizards
    ... Der Preperation Wizard zeigt in diesem Fall aber keine Verweise auf weitere ... DNS und DHCP laufen auf dem Server ohne Fehler ... The Preparation Wizard uses Windows Management Interface (WMI) to scan ...
    (microsoft.public.de.german.backoffice.smallbiz)
  • Re: EBS2008: Frage zu Preparation Wizards
    ... schau bitte einmal genauer auf die Fehleranzeige im Preperation Wizard. ... The Preparation Wizard uses Windows Management Interface (WMI) to scan several network components. ... This is likely if server workloads in your environment are running on the Windows 2000 Server operating system. ...
    (microsoft.public.de.german.backoffice.smallbiz)