Mark Berry March 22, 2011
So you’re trying to do a simple PowerShell WMI query from a domain-joined computer to a non-domain-joined (workgroup) Server 2008 R2 computer on the same network, e.g. to check the version of the server’s operating system:
Get-WmiObject -ComputerName "WGSERVER01" -namespace "root\CIMV2" `
-Class win32_OperatingSystem -Property "Version"
But you keep getting nasty messages:
Get-WmiObject : Access denied
I feel your pain. I was beginning to wonder if getting remote WMI working had something to do with planetary alignment.
Finally I stumbled on John Howard’s article about managing Hyper-V remotely. I had used his HVRemote app for just that purpose in an earlier installation. This time I went directly into the meat of the article and found the initial steps for Hyper-V remote management are all about getting WMI to work remotely. I followed steps 1 through 4 in that article and I was able to run the WMI query successfully.
The article has detailed instructions and pictures. Here is a summary:
Step 1: Make sure you are using a username and password which matches between the client and the server. Yes, that means the domain user name matches the non-domain user name. John says that the user does not need to be an administrator on the target machine, but in my case it is an administrator.
Alternatively, you can use the
–GetCredential parameter of the
Get-WmiObject command. Then you don’t need matching user names; you just supply explicit credentials for the target computer.
Step 2: In Windows Firewall, enable the pre-defined Windows Management Instrumentation (WMI) rules.
Step 3: Grant DCOM (Distributed COM) permissions. I set this up for Authenticated Users. Component Services > My Computer > Properties > COM Security tab > Launch and Activation Permissions > Edit Limits > Add user > Grant Remote Launch and Remote Activation permissions. (It seems this step is not required if User Account Control is disabled on the target machine.)
Step 4: Grant Remote WMI permissions. Here I deviated slightly from John’s instructions: I only needed remote access to CIMV2, and Authenticated Users was already there so I was just adding a permission. Computer Management > Services and Applications > WMI Control > Properties > Security tab > expand Root and select CIMV2 > Security button > Advanced > highlight Authenticated Users (already there on my server) > Edit > check Remote Enable > OK. Restart the Windows Management Instrumentation service to make sure the changes take effect.
Update November 5, 2013 The steps here are a little different in Server 2012 R2. You cannot edit the existing Authenticated Users permission. Instead, once you are viewing Advanced Security Settings for CIMV2, click on the Add button, click Select a principal, type Authenticated Users and click OK, then check Remote Enable and click OK.
After this, in the Advanced Security Settings dialog, you’ll see one entry for Authenticated Users inherited from the Parent Object, and a second entry that you just created that is not inherited.
Note: I expected that I would need to enable Network DTC access (described on Technet). However WMI seems work with that turned off:
So Why Does This Work on Domain-Joined Computers without All the Fuss?
As best I can tell, this is because Local Administrators already have these remote DTC and WMI privileges. If you use domain admin credentials, the domain admin is member of the Local Administrators group on the target computer, so the domain admin “inherits” those permissions.