Access Denied Error (WMI or Remote Registry) in Performance Advisor

With Windows 2000 – Windows 2003 and XP, using Windows authentication with the service account added to the local administrators group should be sufficient for remote WMI and registry access. This applies to both domain accounts and accounts using pass-through security (Workgroup machines).

Windows Vista, Windows 2008 (including R2) and up (Windows 7 and beyond) include the concept of User Access Control (UAC). For domain accounts, ensuring the service account is added to the local administrators group on the remote machine should still be sufficient. For machines that are not on a domain (Workgroup machines) or other situations requiring the use of pass-through security, additional configuration may be necessary.

The standard pass-through security scenario would be to use duplicate accounts (username and password are the same) to pass security tokens between the machines. Microsoft has allowed this configuration in the past, and it still works on newer operating systems. The problem that arises now is with UAC. When a remote connection is made using pass-through security the machine is unable to resolve elevated permissions under UAC, and for WMI and registry purposes the account is treated as a regular (non-admin) user even if the account exists in the local administrators group.

More information can be found at the following URL under the section entitled “Handling Remote Connections Under UAC”: http://msdn.microsoft.com/en-us/library/aa826699(VS.85).aspx

A specific configuration that has been determined to work for SQL Sentry Performance Advisor is as follows:

1.) Disable remote UAC as specified in the URL mentioned above: “Disabling Remote UAC by changing the registry entry that controls Remote UAC is not recommended, but may be necessary in a workgroup.

The registry entry: HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Policies/system/LocalAccountTokenFilterPolicy.

When the value of this entry is zero (0), Remote UAC access token filtering is enabled. When the value is 1, remote UAC is disabled.”

This is a REG_DWORD value, and you will likely need to create the new value as it is not there by default.

2.) Change the authentication level for WMI in DCOM (using DCOMCNFG.exe) to 'Packet' from 'Connect'.

As with any registry modification and/or change to security there are associated risks. These are outlined in the Microsoft article, and it should be reviewed prior to making any changes.

Finally, because of these security issues and the risks associated with the changes needed to support this configuration, we recommend running SQL Sentry in a domain environment.

Here is an additional link listing the DCOM impersonation and authentication setting requirements:http://msdn.microsoft.com/en-us/library/aa389284(v=VS.85).aspx

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.