Remote WMI to a Workgroup Server 2008 R2

Mark Berry March 22, 2011

So you’re trying to do a simple PowerShell WMI query from a domain-joined computer to a non-domain-joined (workgroup) Server 2008 R2 computer on the same network, e.g. to check the version of the server’s operating system:

Get-WmiObject -ComputerName "WGSERVER01" -namespace "root\CIMV2" `
-Class win32_OperatingSystem -Property "Version"

But you keep getting nasty messages:

Get-WmiObject : Access denied

I feel your pain. I was beginning to wonder if getting remote WMI working had something to do with planetary alignment.

Finally I stumbled on John Howard’s article about managing Hyper-V remotely. I had used his HVRemote app for just that purpose in an earlier installation. This time I went directly into the meat of the article and found the initial steps for Hyper-V remote management are all about getting WMI to work remotely. I followed steps 1 through 4 in that article and I was able to run the WMI query successfully.

The article has detailed instructions and pictures. Here is a summary:

Step 1: Make sure you are using a username and password which matches between the client and the server. Yes, that means the domain user name matches the non-domain user name. John says that the user does not need to be an administrator on the target machine, but in my case it is an administrator.

Alternatively, you can use the –GetCredential parameter of the Get-WmiObject command. Then you don’t need matching user names; you just supply explicit credentials for the target computer.

Step 2: In Windows Firewall, enable the pre-defined Windows Management Instrumentation (WMI) rules.

Step 3: Grant DCOM (Distributed COM) permissions. I set this up for Authenticated Users. Component Services > My Computer > Properties > COM Security tab > Launch and Activation Permissions > Edit Limits > Add user > Grant Remote Launch and Remote Activation permissions. (It seems this step is not required if User Account Control is disabled on the target machine.)

Step 4:  Grant Remote WMI permissions. Here I deviated slightly from John’s instructions:  I only needed remote access to CIMV2, and Authenticated Users was already there so I was just adding a permission. Computer Management > Services and Applications > WMI Control > Properties > select CIMV2 > Security > Advanced > highlight Authenticated Users (already there on my server) > Edit > check Remote Enable > OK.

Remote WMI 2

After this, in the Advanced Security Settings dialog, you’ll see one entry for Authenticated Users inherited from the Parent Object, and a second entry that you just created that is not inherited.

Note:  I expected that I would need to enable Network DTC access (described on Technet). However WMI seems work with that turned off:

Remote WMI 1

So Why Does This Work on Domain-Joined Computers without All the Fuss?

As best I can tell, this is because Local Administrators already have these remote DTC and WMI privileges. If you use domain admin credentials, the domain admin is member of the Local Administrators group on the target computer, so the domain admin “inherits” those permissions.

Tags: ,

This entry was posted on Tuesday, March 22nd, 2011 at 8:57 pm and is filed under IT Administration. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

1 Comment

  1. Alex   |  November 28, 2011 at 8:06 pm

    Thank you for this post! It is the source of most of my woes setting up a Win2k8R2 server in my local workgroup and then tearing my hear out when MMC would not connect.

    A good clear explanation, even if the context of your error was different.

Leave a Reply





Notify me of followup comments via e-mail. You can also subscribe without commenting.