Error 0x80041001 retrieving some WMI data in Windows 2003 SP1
tango
We need to retrieve some WMI information from a remote computer running
Windows 2003 SP1 without using an Administrator user. Using wbemtest to
retrieveve the query "select * from win32_BaseService" I get always an error
80041001 Generic Failure but I can execute some other WMI queries without any
problem.
I'm using a "low" domain user, no administrator, in the monitored computer.
I've configured in the monitored system:
- I've add the user to the Local User groups and "Performance Monitor Users"
group.
- Using wmimgmt.msc I gave permissions to all in Root and CIMV2 nodes (I
know only some of them are needed, but I checked everything just to test).
- As I'm using 2003 Server SP1 I modfied DCOM permissions using dcomcnfg
modifying the "Edit Default" in Access Permissions and Launch Adn activations
permissions. I've changed the "Edit Limits" options in the "Launch and
activations Permissions".
With this settings I'm able to retrieve some information using WMI, but some
queries do not work (the Win32_BaseService is the most important).
Futhermore, the query works using:
- wbemtest directly in the remote computer when logged using the same "low"
user, so it's not an authoritation problem but a WMI/DCOM issue.
- Everything works fine running wbemtest from the remote PC if I add the
domain user to the "local administrator" group.
Just for trying I also change some settings I got from a MOM configuration
document: I added the "Maanage auditing and security log" and "Allow log on
locally" permissions but it did not work either, the error is always the same.
My question is: Do I need to change any other setting in order to be able
to perform this query from a remote computer using a non adminstrator user?
tango
Jeffrey Tan[MSFT]
Based on your detailed test information, I agree it should be a security
setting issue.
I have performed some search in internal database and found a reported
record similar as yours. This record has the problem of using Win32_Service
WMI to remote query with a non-admin user after installing
Windows 2003 Service Pack 1.
From the research result in that record, after installing the service pack,
the operating system limits the ability of non-administrators to remotely
access the Service Control Manager. So, the SP1
changed the SCM's (Service Control Manager) default security settings. The
underlying provider maps the Access Denied error to 0x80041001.
The recommended solution is obeying the security retriction added by SP1 by
using Administrator to query it remotely. You may use impersonate to reduce
the time of running your application as Admin if you want.
If you really want to restore to pre-SP1 security setting, you have to use
v 5.2.3790.1830 of SC.EXE (located in c:\winnt\system32) at a command line
to restore the RTM permissions to the SCM as follows:
sc sdset SCMANAGER
D:(A;;CCLCRPRC;;;AU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OII
OFA;GA;;;WD)
You may give it a try and let me know the result. Thanks.
Best regards,
Jeffrey Tan
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.
Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
tango
is not intended for just one computer but for generic implementations (in
clients), so I agree with you and I will obey the Administrator restriction.
Probably I'm going to post more issues related to WMI problems but I will
open new posts for this unrelated problems.
Thanks again.
Jeffrey Tan[MSFT]
Thanks for your feedback!
Yes, I understand your scenario. Since the workaround requires the security
change to the Win2003 SP1 machine, I also agree that using Administrator to
perform the remote query is a more generic and suitable solution.
Anyway, if you need further help, please feel free to post, thanks!
vu minh tuan
I need some wmi information about installed MS information on the remote
machine running 2003 sever sp1. I have written a small code using
administrator rights to do that but there is error and i can not solve. i
have configure dcom and something else as i read. Please show me how to
solve the problem . Thanks in advances
-----------------------------------------------
strComputer = "192.168.1.46"
Const wbemImpersonationLevelImpersonate = 3
Const wbemAuthenticationLevelPktPrivacy = 6
Set objSWbemLocator = CreateObject("WbemScripting.SWbemLocator")
Set objSWbemServices = objSWbemLocator.ConnectServer(strComputer,
"\root\CIMV2", "w2003deployment\administrator", "12345")
objSWbemServices.Security_.ImpersonationLevel =
wbemImpersonationLevelImpersonate
objSWbemServices.Security_.AuthenticationLevel =
wbemAuthenticationLevelPktPrivacy
Set colSoftware = objSWbemServices.ExecQuery("SELECT * FROM Win32_Product")
For Each objSoftware in colSoftware
Wscript.Echo objSoftware
Next
--------------------------------------------------------