Two WMI Issues: RPC and Security
How to get past RPC errors; logging onto the right user profile.
This time, I'd like to tackle two tough topics that have been coming up a lot in the ScriptingAnswers.com forums. Both deal with Windows Management Instrumentation (WMI) in some fashion.
The first issue is the dreaded "RPC Server unavailable" message, often returned when a script tries to connect to WMI on a remote computer, but also pretty common when trying to do any kind of scripting against a remote computer (such as using the WshController object).These days, the problem can almost always be traced back to the Windows Firewall running on the remote computer.
By default, Windows Firewall blocks incoming Remote Procedure Call connections, and most remote scripting operations rely on RPCs in some fashion. You can reconfigure the firewall manually or via Active Directory. You can also control it via scripting. You can find a number of scripts that manage the firewall at http://www.microsoft.com/technet/
scriptcenter/scripts/network/firewall/default.mspx. Obviously, if you’re going to modify Windows Firewall’s settings via script, you’ll have to get the script to run first, right? The easiest way is to deploy your Firewall-modification script as a logon script, which is downloaded during the logon process and which will make it past the Firewall.
The second issue relates to WMI security. Imagine that you’re using WMI to connect to a remote computer and modify, say, shortcuts or drive mappings or something for that computer’s primary user. The problem is that Windows doesn’t understand the concept of "primary user;" all users are equal. And, when you connect to WMI on a remote computer, WMI (by default) impersonates your credentials. As a result, you’re connected to your profile on the remote computer, not the profile of the "primary user." Any drive mappings or shortcuts you modify will be those associated with your profile (or perhaps the "All Users" profile).
The only way to connect to a specific user’s profile on a remote computer is to create the WMI connection using that user’s credentials, which means you’ll need to know their password. Generally, that’s not practical, of course. That means the easiest way to use WMI to modify some profile-specific setting is to deploy the script, again, as a logon script, where it’ll run under the specific user’s security context and have access to their profile.
Don Jones is a multiple-year recipient of Microsoft’s MVP Award, and is an Author/Evangelist for video training company Pluralsight. Don is also a co-founder and President of PowerShell.org, a community dedicated to Microsoft’s Windows PowerShell technology. Don has more than two decades of experience in the IT industry, and specializes in the Microsoft business technology platform. He’s the author of more than 50 technology books, an accomplished IT journalist, and a sought-after speaker and instructor at conferences worldwide. Reach Don on Twitter at @concentratedDon, or on Facebook at Facebook.com/ConcentratedDon.