Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

DCOM Settings

1 view
Skip to first unread message

James Crosswell

unread,
Jun 4, 2005, 12:17:30 PM6/4/05
to
To access WMI remotely both WMI and DCOM security need to be set, right?

Under Windows 2000/XP the WMI security is easy to find (wmimgmt.msc).
Howver, how/where does one set the DCOM security settings for WMI to
allow remote access?

Under Wind98/ME you could simply run dcomcnfg - but that just lauches
the Component Services dialog in Windows XP. So how do you do it on XP?
Is it a GPO?

--

Best Regards,

James Crosswell
Software Engineer
Microforge.net Limited
http://www.microforge.net

Jim Vierra

unread,
Jun 4, 2005, 6:18:13 PM6/4/05
to
By default in W2K, WS2003 and XP the DCOM settings allow remote access to
administrators. In a Domain this, by default, included Domain Admins. I
have never needed to change anything to remotely access a machine in a
domain and in a workgroup I just set all Administrators to the same password
and use impersonation.

--
Jim Vierra

"James Crosswell" <ja...@microforge.net> wrote in message
news:OjDKoDSa...@TK2MSFTNGP14.phx.gbl...

Manfred Braun

unread,
Jun 5, 2005, 2:37:42 AM6/5/05
to
Hi !

Not me ;-)
But there are differences between w2k and XP type of OS. Since I am facing
XP, I use always
objService.Security_.ImpersonationLevel =
wbemImpersonationLevelImpersonate
objService.Security_.AuthenticationLevel = wbemAuthenticationLevelPkt
and I am sure, everything works properly.

Best regards,
Manfred


Jim Vierra

unread,
Jun 5, 2005, 4:46:57 PM6/5/05
to
Good advise. Should be the defaults for XP but not necessarily for any other
system.

I always try to remember to "impersonate" but don't always take to set the
level. Packet is the most reliable as anything below or up to packet will
generally work with packet set.


--
Jim Vierra

"Manfred Braun" <a...@bb.cc> wrote in message
news:OPPcbkZa...@tk2msftngp13.phx.gbl...

PStrosnyder

unread,
Jun 6, 2005, 8:43:03 AM6/6/05
to
I recently ran into an issue where I was getting an access denied error
message when trying to connect to WMI on a remote machine. At first I
thought it was security related, but after I was able to connect to WMI while
signed on the machine locally I realized there was a different issue. There
are 2 registry keys that need to be set to "Y" (yes) in order to connect to
WMI remotley, they are:
hklm\software\microsoft\ole\enabledcom and
hklm\software\microsoft\ole\enableremoteconnect. I would check these two
registry keys if you've already verified your security settings are correct.
You may also need to restart dcom and wmi, or reboot your machine after
changing these settings. Hope this helps.

James Crosswell

unread,
Jun 6, 2005, 10:18:03 AM6/6/05
to
Jim Vierra wrote:
> By default in W2K, WS2003 and XP the DCOM settings allow remote access to
> administrators. In a Domain this, by default, included Domain Admins. I
> have never needed to change anything to remotely access a machine in a
> domain and in a workgroup I just set all Administrators to the same password
> and use impersonation.

Great but every now and then a customer gets in touch and says they
can't connect to remote machines. If I've checked all the WMI security
and they're logged in as a Domain Admin then the logical thing to look
at is DCOM security settings... so the fact that it works in most
ordinary configurations won't help me troubleshoot this.

James Crosswell

unread,
Jun 6, 2005, 10:19:32 AM6/6/05
to
Manfred Braun wrote:
> Hi,
>
> the "Component Services" IS the right location, just open it and
> navigate to "Computers/My Computer" and use the properties dialog;See
> image below.

Ahhh! Thanks Manfred - exactly what I needed... I was looking under the
machine for some component called WMI - I thought maybe you could set
this at a more granular level (per component).

In any case, thank you very much!

Jim Vierra

unread,
Jun 6, 2005, 12:03:55 PM6/6/05
to
James - I agree. I was only speculating on why the settings would not be
set correctly.
What exactly is complaining about WMI remoting failing. It is an OS issue
or a third party product issue?

--
Jim Vierra

"James Crosswell" <ja...@microforge.net> wrote in message

news:eO20MKqa...@TK2MSFTNGP14.phx.gbl...

James Crosswell

unread,
Jun 7, 2005, 3:05:26 PM6/7/05
to
Jim Vierra wrote:
> James - I agree. I was only speculating on why the settings would not be
> set correctly.
> What exactly is complaining about WMI remoting failing. It is an OS issue
> or a third party product issue?

Hi Jim - it appears (after speaking with Microsoft Support about this)
that it's an OS issue (can be reproduced with wbemtest.exe). They've
given me a bunch of stuff to look into, including various DCOM
settings... among the suggestions was simply to delete the following
registry key to restore the original default values:
HKLM\SOFTWARE\Microsoft\Ole\DefaultAccessPermission

In my case it's not necessarily Remote connections to WMI that are a
problem (I have the problem with local connections too). However the
Microsoft rep that I'm talking to said that DCOM problems could actually
cause problems with WMI (and various other things) even when accessing
this locally... so it's always something to look at.

Jim Vierra

unread,
Jun 7, 2005, 4:42:22 PM6/7/05
to
All of it uses DCOM. Almost everything in XP W2K3 use DCOM at some level.
DCOM permissions get set wrong by some installers (this was from an MS tech)
I still get no agreement on what baseline settings should be - depends on
"role" for host. DC, IIS, SQL, SPS, etc.

--
Jim Vierra

"James Crosswell" <ja...@microforge.net> wrote in message

news:OF3FfP5...@tk2msftngp13.phx.gbl...

0 new messages