JSI Tip 10252. You receive 'Access is denied' when you query some WMI objects on a Windows Server 2003 SP1 domain controller?

When you query some WMI (Windows Management Instrumentation) objects on a Windows Server 2003 SP1 (Service Pack 1) domain controller, you receive Access is denied. If you use the Ultrasound tool to collect information from the Windows Server 2003 SP1 DC, you receive a message similar to:

Access to the Ultrasound WMI provider is denied. You may need to redeploy the provider. Also it may be a clock skew more then 5 minutes between controller and provider machines.

New SP1 DCOM security features provide high security access based upon the new built-in Distributed COM Users group. Since all domain controllers in a domain share all the built-in groups, Windows Server 2003 SP1 only adds the new built-in group to the Windows Server 2003 SP1 PDC emulator (Primary Domain Controller).

To prevent the subject behavior, always install SP1 on the PDC first.

NOTE: See Description of the changes to DCOM security settings after you install Windows Server 2003 Service Pack 1.



Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish