Microsoft KB Archive/914023

= You may receive an &quot;Access is denied&quot; error message when you try to query some WMI objects on a Windows Server 2003 Service Pack 1-based domain controller =

Article ID: 914023

Article Last Modified on 10/11/2007

-

APPLIES TO

 Microsoft Windows Server 2003 SP1, when used with:  Microsoft Windows Server 2003, Standard Edition (32-bit x86)

 Microsoft Windows Server 2003, Enterprise Edition  Microsoft Windows Server 2003, Enterprise x64 Edition Microsoft Windows Server 2003, Standard x64 Edition

-

<div class="notice_section">

<div class="symptoms_section">

SYMPTOMS
You try to query some Windows Management Instrumentation (WMI) objects on a Microsoft Windows Server 2003 Service Pack 1 (SP1)-based domain controller. If you are not logged on to Windows Server 2003 as an administrator, you may receive an &quot;Access is denied&quot; error message. For example, when you use the Ultrasound tool to try to collect information from a Windows Server 2003 SP1-based domain controller, you may receive an error message that is similar to the following:

Access to the Ultrasound WMI provider is denied. You may need to redeploy the provider. Also it may be a clock skew more then 5 minutes between controller and provider machines.

<div class="cause_section">

CAUSE
This issue occurs because Windows Server 2003 SP1 adds some new DCOM security features. These new features provide maximum security access to DCOM objects that are based in the new &quot;Distributed COM Users&quot; group. This group is a built-in group. Because all domain controllers in a domain share all the built-in groups, Windows Server 2003 SP1 does not add this group on each domain controller that is installed in the domain. Windows Server 2003 SP1 adds the new built-in group only on a Windows Server 2003 SP1-based primary domain controller (PDC).

<div class="resolution_section">

RESOLUTION
To resolve this issue, make sure that you install Windows Server 2003 SP1 on the PDC first. When you do this, WMI queries do not stop working when you install Windows Server 2003 SP1 on other domain controllers.

<div class="status_section">

STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the &quot;Applies to&quot; section.

<div class="moreinformation_section">

MORE INFORMATION
Ultrasound monitoring is based on the WMI provider. The WMI provider queries a DCOM object. If the monitoring box does not have rights to access the DCOM object, the queries fails.

For more information, click the following article number to view the article in the Microsoft Knowledge Base:

903220 Description of the changes to DCOM security settings after you install Windows Server 2003 Service Pack 1

Keywords: kbtshoot kbprb kbdomain KB914023

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.