PROBLEM:
You are using Group Policy Inventory (GPInventory.exe) to gather some information about the machines in your network (mostly Windows XP).
Thereby you get some really incredible results:
"Error: Access Denied" on WMI (Windows Management Instrumentation) queries:
"Error: Could not connect" on RSoP (Resultant Set of Policy) queries:
With the above clients (that you cannot establish connection with), the remote connection over WMI Control should also fail with the following error: "Win32: Access is denied" [german] "Win32: Zugriff verweigert" [/german]:
[german]
[/german]
If you want to test it, you can find that control here:
Control Panel -> Administrative Tools -> Computer Management -> Connect to another computer... -> choose your client & click OK -> Services and Applications -> WMI Control -> Properties
[german] Systemsteuerung -> Verwaltung -> Computerverwaltung -> Verbindung mit anderem Computer herstellen... -> Client wählen & OK klicken -> Dienste und Anwendungen -> WMI-Steuerung -> Eigenschaften [/german]
Whatta...!?! What happens here? Everything seems to be fine:
- you are logged in as a domain administrator
- all the clients are domain members and you are admin on these machines as well
- there is no firewall active between the machines in your network (XP firewall is off)
- there are no errors in the event log and all the services are running properly
- WMI Control connect locally (on the clients) works anyway
CAUSE:
DCOM (Distributed COM) seems to be deactivated on your client(s).
RESOLUTION:
Activate it, what else ;)
But beware of worms and viruses, many of them are based on this technology. Activate this setting only in internal (secure) networks, behind the firewall and your AntiVirus wall.
Activate the firewall on mobile clients, especially in the Standard Profile Policy. If the firewall ist activated in the Domain Profile, you can add management exceptions like the following:
How to configure Windows Firewall in Windows XP Service Pack 2 to allow remote administration tools that use WMI, RPC, or DCOM
[german] Konfigurieren der Windows Firewall in Windows XP Service Pack 2, um Remoteverwaltungstools zuzulassen, die WMI, RPC oder DCOM verwenden [/german]
Steps for manual DCOM activation:
- Control Panel -> Administrative Tools -> Component Services (short: run dcomcnfg.exe)
- Component Services -> Computers -> My Computer -> Properties -> Default Properties
- Check "Enable Distributed COM on this computer"
- OK
- Restart the machine
[german]
Schritte für manuelle Aktivierung des DCOM:
- Systemsteuerung -> Verwaltung -> Komponentendienste (kurz: dcomcnfg.exe ausführen)
- Komponentendienste -> Computer -> Arbeitsplatz -> Eigenschaften -> Standardeigenschaften
- Häkchen bei "DCOM (Distributed COM) auf diesem Computer aktivieren" setzen
- OK
- Maschine neu starten
[/german]
On the Windows Vista and the PDC Beta of Windows 7, the Component Services are not located in the Administrative Tools anymore.
To start them anyway, do one of the following (this works in XP/2003 as well):
- Start the Management Console (mmc.exe) and add the Component Services Snap-in
- simply run dcomcnfg.exe
- or run comexp.msc
I haven't searched for group policy setting to activate DCOM, but you are welcome to publish it within your comment ;)