You may receive an "Access is denied" error message when you try to query some WMI objects on a Windows Server 2003 Service Pack 1-based domain controller (914023)


The information in this article applies to:

  • Microsoft Windows Server 2003 SP1, when used with:
    • Microsoft Windows Server 2003, Standard Edition
    • Microsoft Windows Server 2003, Enterprise Edition
  • Microsoft Windows Server 2003, Enterprise x64 Edition
  • Microsoft Windows Server 2003, Standard x64 Edition

SYMPTOMS

You try to query some Windows Management Instrumentation (WMI) objects on a Microsoft Windows Server 2003 Service Pack 1 (SP1)-based domain controller. If you are not logged on to Windows Server 2003 as an administrator, you may receive an "Access is denied" error message. For example, when you use the Ultrasound tool to try to collect information from a Windows Server 2003 SP1-based domain controller, you may receive an error message that is similar to the following:
Access to the Ultrasound WMI provider is denied. You may need to redeploy the provider. Also it may be a clock skew more then 5 minutes between controller and provider machines.

CAUSE

This issue occurs because Windows Server 2003 SP1 adds some new DCOM security features. These new features provide maximum security access to DCOM objects that are based in the new "Distributed COM Users" group. This group is a built-in group. Because all domain controllers in a domain share all the built-in groups, Windows Server 2003 SP1 does not add this group on each domain controller that is installed in the domain. Windows Server 2003 SP1 adds the new built-in group only on a Windows Server 2003 SP1-based primary domain controller (PDC).

RESOLUTION

To resolve this issue, make sure that you install Windows Server 2003 SP1 on the PDC first. When you do this, WMI queries do not stop working when you install Windows Server 2003 SP1 on other domain controllers.

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

MORE INFORMATION

Ultrasound monitoring is based on the WMI provider. The WMI provider queries a DCOM object. If the monitoring box does not have rights to access the DCOM object, the queries fails.

For more information, click the following article number to view the article in the Microsoft Knowledge Base:

903220 Description of the changes to DCOM security settings after you install Windows Server 2003 Service Pack 1

Modification Type:MinorLast Reviewed:3/8/2006
Keywords:kbtshoot kbdomain kbprb KB914023 kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.