File System ACL Required for WMI Function?

Something about our default security configuration for Windows 2003 and
Windows XP breaks WMI. What file system and registry ACLs are required for
WMI's proper function?

--
Will

Hi Will,

> Something about our default security configuration for Windows 2003 and
> Windows XP breaks WMI. What file system and registry ACLs are required for
> WMI's proper function?

You are asking the question back-to-front. You should KNOW the exact
changes made by your security policy and then be able to determine what
will be affected by them. Some quick checks you can do.

Log on to the Admin workstation with a Domain Admin account. Use
WBEMTEST to query a domain joined remote machine, if it fails try
disabling the firewall and try again, if it still fails, try right-click
"Computer" then "Manage", then "WMI Properties", make sure you can
access the properties, if you can't, go to the remote box and try
DCOMCNFG and make sure the computer properties are set to defaults

--
Gerry Hickman (London UK)

"Gerry Hickman" <gerry666uk@newsgroup.nospam> wrote in message
news:unRUWx7rIHA.2208@TK2MSFTNGP04.phx.gbl...
> > Something about our default security configuration for Windows 2003 and
> > Windows XP breaks WMI. What file system and registry ACLs are required
for
> > WMI's proper function?
>
> You are asking the question back-to-front. You should KNOW the exact
> changes made by your security policy and then be able to determine what
> will be affected by them. Some quick checks you can do.

The conclusion does not follow from the premise. It does not follow from
the premise that you know your security policy and what it changes that you
would know the effect of any one of those changes on a particular Windows
subsystem.


> Log on to the Admin workstation with a Domain Admin account. Use
> WBEMTEST to query a domain joined remote machine, if it fails try
> disabling the firewall and try again, if it still fails, try right-click
> "Computer" then "Manage", then "WMI Properties", make sure you can
> access the properties, if you can't, go to the remote box and try
> DCOMCNFG and make sure the computer properties are set to defaults

We are not trying to use WMI on remote computers. We are getting the WMI
errors in the local eventviewer logs at startup, so something in the
subsystem doesn't appear to initialize correctly. Rather than bog down in
the detail of those messages, I was imply asking for a baseline
configuration that is known to work and the compare that against our default
settings.

--
Will

Will wrote:

>> You are asking the question back-to-front. You should KNOW the exact
>> changes made by your security policy and then be able to determine what
>> will be affected by them. Some quick checks you can do.
>
> The conclusion does not follow from the premise. It does not follow from
> the premise that you know your security policy and what it changes that you
> would know the effect of any one of those changes on a particular Windows
> subsystem.

Well in that case, who ever is in charge of the security policy should
be sacked for not testing it properly. Surely they'd test it against ONE
machine first, then only roll it out when it works as expected?

> We are not trying to use WMI on remote computers. We are getting the WMI
> errors in the local eventviewer logs at startup,

Well in that case, the first thing we'd need to know is the exact error.

--
Gerry Hickman (London UK)