cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
%3CLINGO-SUB%20id%3D%22lingo-sub-372552%22%20slang%3D%22en-US%22%3EWMI%20Troubleshooting%3A%20Impersonation%20Rights%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-372552%22%20slang%3D%22en-US%22%3E%0A%20%26lt%3Bmeta%20http-equiv%3D%22Content-Type%22%20content%3D%22text%2Fhtml%3B%20charset%3DUTF-8%22%20%2F%26gt%3B%3CSTRONG%3E%20First%20published%20on%20TECHNET%20on%20Oct%2016%2C%202007%20%3C%2FSTRONG%3E%20%3CBR%20%2F%3E%3CP%3E%3C%2FP%3E%3CP%3E%3CBR%20%2F%3E%3C%2FP%3EToday%20we're%20going%20to%20take%20a%20look%20at%20an%20issue%20that%20is%20fairly%20common%20when%20dealing%20with%20WMI%20failures.%26nbsp%3B%20Starting%20with%20Windows%20XP%2C%20WMI%20providers%20are%20hosted%20in%20a%20separate%20process%20called%20WMIPRVSE.%26nbsp%3B%20Most%20of%20the%20time%20this%20provider%20host%20runs%20in%20the%20context%20of%20the%20Network%20Service%20Account.%26nbsp%3B%20In%20order%20to%20properly%20function%2C%20this%20account%20must%20have%20the%20rights%20to%20impersonate%20a%20client%20after%20authentication.%3CP%3E%3C%2FP%3E%0A%20%20%3CP%3EBy%20default%20in%20Windows%20XP%20SP2%20and%20Windows%20Server%202003%2C%20the%20Network%20Service%20account%20which%20resides%20within%20the%20SERVICE%20group%20has%20impersonation%20rights.%26nbsp%3B%20However%2C%20there%20have%20been%20more%20than%20a%20few%20occasions%20where%20we%20have%20worked%20with%20customers%20who%20found%20out%20that%20this%20right%20had%20been%20removed.%26nbsp%3B%20More%20often%20than%20not%2C%20the%20removal%20was%20due%20to%20an%20older%20group%20policy%20that%20was%20in%20place%20that%20did%20not%20include%20the%20Network%20Service%20account%20within%20the%20list%20of%20accounts%20%2F%20groups%20granted%20the%20Impersonate%20right.%3C%2FP%3E%0A%20%20%3CP%3EA%20quick%20note%20on%20the%20SERVICE%20group.%26nbsp%3B%20This%20is%20a%20special%20group%20that%20includes%20all%20security%20principals%20that%20have%20logged%20on%20as%20a%20service.%26nbsp%3B%20This%20is%20not%20a%20group%20that%20is%20managed%20through%20the%20Computer%20Management%20snap-in%2C%20membership%20in%20this%20group%20is%20controlled%20by%20the%20operating%20system.%3C%2FP%3E%0A%20%20%3CP%3EResolving%20the%20problem%20is%20fairly%20simple%20-%20the%20steps%20to%20remedy%20the%20issue%20on%20a%20local%20machine%20are%20provided%20below.%26nbsp%3B%20If%20your%20problem%20is%20caused%20by%20a%20Group%20Policy%20within%20Active%20Directory%2C%20then%20the%20same%20basic%20steps%20apply%3A%3C%2FP%3E%0A%20%20%3COL%3E%0A%20%20%20%3CLI%3EClick%20%3CSTRONG%3EStart%20%3C%2FSTRONG%3E%2C%20click%20%3CSTRONG%3ERun%20%3C%2FSTRONG%3E%2C%20type%20%3CSTRONG%3Egpedit.msc%20%3C%2FSTRONG%3Eand%20then%20click%20%3CSTRONG%3EOK%3C%2FSTRONG%3E%3C%2FLI%3E%0A%20%20%20%3CLI%3EUnder%20%3CSTRONG%3ELocal%20Computer%20Policy%20%3C%2FSTRONG%3E%2C%20expand%20%3CSTRONG%3EComputer%20Configuration%20%3C%2FSTRONG%3E%2C%20and%20then%20expand%20%3CSTRONG%3EWindows%20Settings%3C%2FSTRONG%3E%3C%2FLI%3E%0A%20%20%20%3CLI%3EExpand%20%3CSTRONG%3ESecurity%20Settings%20%3C%2FSTRONG%3E%2C%20expand%20%3CSTRONG%3ELocal%20Policies%20%3C%2FSTRONG%3Eand%20then%20click%20%3CSTRONG%3EUser%20Rights%20Assignment%3C%2FSTRONG%3E%3C%2FLI%3E%0A%20%20%20%3CLI%3EVerify%20that%20the%20%3CSTRONG%3ESERVICE%20%3C%2FSTRONG%3Egroup%20is%20specifically%20granted%20the%20%3CSTRONG%3EImpersonate%20a%20client%20after%20authentication%20%3C%2FSTRONG%3Eright%20as%20shown%20below%3A%3C%2FLI%3E%0A%20%20%3C%2FOL%3E%0A%20%20%3CP%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F90931iDD6A2C5CC4B2DCB7%22%20%2F%3E%3C%2FP%3E%0A%20%20%3CP%3EA%20quick%20note%20here%20-%20by%20default%2C%20the%20Default%20Domain%20and%20Default%20Domain%20Controller%20GPO's%20will%20show%20the%20impersonation%20right%20as%20%22Not%20Defined%22%3C%2FP%3E%0A%20%20%3CP%3EOK%2C%20so%20now%20that%20we%20know%20what%20the%20problem%20is%20and%20how%20to%20fix%20it%20-%20how%20can%20we%20quickly%20identify%20this%20failure%3F%26nbsp%3B%20If%20the%20SERVICE%20group%20is%20missing%20the%20Impersonate%20right%2C%20then%20the%20following%20VB%20Script%20will%20fail%20with%20an%20%22Access%20Denied%22%20message%3A%3C%2FP%3E%0A%20%20%3CDIV%3Eset%20WMI%20%3D%20GetObject(%22WinMgmts%3A%2Froot%2Fcimv2%22)%20%3CBR%20%2F%3E%20set%20objs%20%3D%20WMI.InstancesOf(%22Win32_OperatingSystem%22)%20%3CBR%20%2F%3E%20for%20each%20obj%20in%20objs%20%3CBR%20%2F%3E%20WScript.Echo%20obj.GetObjectText_%20%3CBR%20%2F%3E%20next%20%3CBR%20%2F%3E%3C%2FDIV%3E%3CBR%20%2F%3E%20%3CBR%20%2F%3E%3CP%3EThe%20%22Access%20Denied%22%20message%20occurs%20down%20at%20the%20Remote%20Procedure%20Call%20(RPC)%20level%20when%20the%20WMI%20Service%20starts%20the%20WMIPRVSE%20process%20to%20retrieve%20instances%20of%20Win32_OperatingSystem.%26nbsp%3B%20Conversely%2C%20the%20following%20script%20will%20succeed%20when%20WMIPRVSE%20does%20not%20have%20to%20be%20invoked%20to%20populate%20instances%20of%20Win32_WMISetting%3A%3C%2FP%3E%3CBR%20%2F%3E%20%3CBR%20%2F%3E%3CDIV%3E%3CBR%20%2F%3E%20set%20WMI%20%3D%20GetObject(%22WinMgmts%3A%2Froot%2Fcimv2%22)%20%3CBR%20%2F%3Eset%20obj%20%3D%20WMI.Get(%22Win32_WMISetting%3D%40%22)%20%3CBR%20%2F%3EWScript.Echo%20obj.GetObjectText_%20%3CBR%20%2F%3E%3C%2FDIV%3E%3CBR%20%2F%3E%20%3CBR%20%2F%3E%3CP%3ESo%20there%20you%20have%20it.%26nbsp%3B%20When%20you%20run%20into%20what%20seems%20like%20inconsistent%20behavior%20because%20some%20WMI%20scripts%20work%20and%20some%20don't%2C%20try%20the%20first%20script%20to%20see%20if%20the%20problem%20is%20due%20to%20a%20missing%20privilege!%3C%2FP%3E%3CBR%20%2F%3E%20%3CBR%20%2F%3E%3CP%3EAdditional%20Resources%3A%3C%2FP%3E%3CBR%20%2F%3E%20%3CBR%20%2F%3E%3CUL%3E%3CBR%20%2F%3E%3CLI%3E%3CA%20href%3D%22http%3A%2F%2Ftechnet2.microsoft.com%2Fwindowsserver%2Fen%2Flibrary%2F86cf2457-4f17-43f8-a2ab-7f4e2e5659091033.mspx%3Fmfr%3Dtrue%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%20Technet%3A%20Security%20Identifiers%20%3C%2FA%3E%3C%2FLI%3E%3CBR%20%2F%3E%3C%2FUL%3E%3CBR%20%2F%3E%20%3CBR%20%2F%3E%3CP%3E-%20Axel%20Rivera%3C%2FP%3E%0A%20%0A%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-372552%22%20slang%3D%22en-US%22%3EFirst%20published%20on%20TECHNET%20on%20Oct%2016%2C%202007%20Today%20we're%20going%20to%20take%20a%20look%20at%20an%20issue%20that%20is%20fairly%20common%20when%20dealing%20with%20WMI%20failures.%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-372552%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ETroubleshooting%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Etwo%20minute%20drill%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Ewmi%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
CraigMarcho
Microsoft
‎Mar 15 2019 05:41 PM

WMI Troubleshooting: Impersonation Rights

‎Mar 15 2019 05:41 PM
First published on TECHNET on Oct 16, 2007


Today we're going to take a look at an issue that is fairly common when dealing with WMI failures.  Starting with Windows XP, WMI providers are hosted in a separate process called WMIPRVSE.  Most of the time this provider host runs in the context of the Network Service Account.  In order to properly function, this account must have the rights to impersonate a client after authentication.

By default in Windows XP SP2 and Windows Server 2003, the Network Service account which resides within the SERVICE group has impersonation rights.  However, there have been more than a few occasions where we have worked with customers who found out that this right had been removed.  More often than not, the removal was due to an older group policy that was in place that did not include the Network Service account within the list of accounts / groups granted the Impersonate right.

A quick note on the SERVICE group.  This is a special group that includes all security principals that have logged on as a service.  This is not a group that is managed through the Computer Management snap-in, membership in this group is controlled by the operating system.

Resolving the problem is fairly simple - the steps to remedy the issue on a local machine are provided below.  If your problem is caused by a Group Policy within Active Directory, then the same basic steps apply:

  1. Click Start , click Run , type gpedit.msc and then click OK
  2. Under Local Computer Policy , expand Computer Configuration , and then expand Windows Settings
  3. Expand Security Settings , expand Local Policies and then click User Rights Assignment
  4. Verify that the SERVICE group is specifically granted the Impersonate a client after authentication right as shown below:

A quick note here - by default, the Default Domain and Default Domain Controller GPO's will show the impersonation right as "Not Defined"

OK, so now that we know what the problem is and how to fix it - how can we quickly identify this failure?  If the SERVICE group is missing the Impersonate right, then the following VB Script will fail with an "Access Denied" message:

set WMI = GetObject("WinMgmts:/root/cimv2")
set objs = WMI.InstancesOf("Win32_OperatingSystem")
for each obj in objs
WScript.Echo obj.GetObjectText_
next


The "Access Denied" message occurs down at the Remote Procedure Call (RPC) level when the WMI Service starts the WMIPRVSE process to retrieve instances of Win32_OperatingSystem.  Conversely, the following script will succeed when WMIPRVSE does not have to be invoked to populate instances of Win32_WMISetting:




set WMI = GetObject("WinMgmts:/root/cimv2")
set obj = WMI.Get("Win32_WMISetting=@")
WScript.Echo obj.GetObjectText_


So there you have it.  When you run into what seems like inconsistent behavior because some WMI scripts work and some don't, try the first script to see if the problem is due to a missing privilege!



Additional Resources:





- Axel Rivera

0 Likes
Like