You should not meet any difficulties when collecting the inventory data using WMI from domain computers. But unfortunately, problems occur sometimes. They can be caused by changing the security settings or by some other reason. If errors arise while the program is trying to access domain computers via WMI, the problem can be solved remotely with the help of the following instruction on using Group Policy settings.
1. Policy Editor
For Windows Server 2003 (see Windows Server 2008 instructions below)
Click "Start" – "Run..." (or press Win+R) – type "mmc". Click "OK".
Select the menu item "File" – "Add/Remove Snap-in...".
Select "Group Policy Management Editor" and click "Add >". Click "OK".
Select the "Default Domain Policy" node on the console tree.
For Windows Server 2008
1) Open the Group Policy Management Console
"Start" - Administrative Tools - Group Policy Management (or click "Start" – "Run..." (press Win+R) – type "gpmc.msc". Click "OK").
2) Select "Default Domain Policy" and click Edit in the context menu.
Starting from Vista, Windows has got the User Account Control component (UAC). When it starts programs by default, they work under a standard user access token. If the administrator rights are necessary for some action, the system prompts the user to change or "elevate" the security context from a standard user to an administrator. Remote requests are always executed under the user access token a remote user cannot be controlled by UAC while something is executed locally. That is why we need to configure UAC to provide the remote access to DCOM.
1) Select the node "Default Domain Controllers Policy\Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options" and set the "User Account Control: Run all administrators in Admin Approval Mode" option's setting to "Disabled".
2) Set the "User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode" policy's setting to the "Elevate without prompting" value.
3) Set the "User Account Control: Detect application installations and prompt for elevation" policy's setting to the "Disabled" value.
The Windows Firewall should allow the DCOM protocol. It is necessary for the remote WMI request execution (ports 135 and 445).
To configure the Firewall, go to this node in the console: "Default Domain Controllers Policy\Computer Configuration\Windows Settings\Security Settings".
In Windows Server 2003 settings, enable the setting "Allow exceptions for remote administration". This will allow the DCOM and WMI execution.For newer Windows Server versions, the "WMI" and "Remote Administration" pre-defined rules exist. You can configure these rules in the "Inbound Rules" sub-menu, using the "New Rule" context menu.
4. Switching to Classic Access Model
In the console node "Default Domain Controllers Policy\Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options", select the "Network access: Sharing and security model for local accounts" parameter and set it to the "Classic – local users authenticate as themselves".
Disable the "Accounts: Limit local account use of blank passwords to console logon only" setting.
5. Required Services
Go to the "Default Domain Controllers Policy\Computer Configuration\Windows Settings\Security Settings\System Services" node.
Enable the following system services:
1) RPCSs - Remote Procedure Call (RPC)
2) DCOMLaunch - DCOM Server Process Launcher
3) LanManServer - Server
6. DCOM Configuration
Go to the "Default Domain Controllers Policy\Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options" node.
Edit restrictions on the DCOM access and execution. Click twice on the "DCOM: Machine Access Restrictions…", click "Edit Security", add a user account which is used for the inventory data collection, and enable these options for providing access to: "Local Launch", "Remote Launch", "Local Activation", and "Remote Activation".