Cannot access remote computer management (MMC) between Win7-Win7 PCs

Discussion in 'Silicon (v)Alley' started by FalconFour, Mar 6, 2011.

  1. #1 FalconFour, Mar 6, 2011
    Last edited by a moderator: Mar 6, 2011
    OK, let's see if any of you guys can help me here. I swear to christ I'm about to throw my fucking computer out the window right now, I cannot stand having my computers tell me that MY OWN ACCESS IS DENIED TO MY OWN COMPUTERS. Fuck.

    "SERVICES".
    "ACTIONS -> CONNECT TO ANOTHER COMPUTER"
    Enter computer name.
    OK.
    "ERROR 5: ACCESS IS DENIED"
    NO, FUCK YOU WINDOWS. FUCK YOU. FUCK YOU HARD.

    This is not fucking difficult. This is standard functionality in Windows. All admin accounts. Forced login via "net use" before connecting. Stored credentials. Same passwords and logins on each. Everything. Exactly. As. It. Should. Be.

    3 computers, all cannot manage each other. 2 Win7 Pro x64 and 1 Win7 Home x64.
    Comp1 -> Comp3 [FAIL]
    Comp3 -> Comp1 [FAIL]
    Comp2 -> Comp3 [FAIL]
    Comp3 -> Comp2 [FAIL]
    Comp2 -> Comp1 [FAIL]
    Comp1 -> Comp2 [FAIL]

    All firewalls are disabled. No matter what, if I do it from Computer Management, or from Services, or from Regedit... EVERY SINGLE ONE fails. I simply CANNOT ACCESS these remote services and it's pissing me right off.

    Someone, please. Anyone. Help me out here. I just need to know if this has ever worked in Windows 7. Can you access your remote services?

    edit: What the fuck is this gibberish?
    http://blogs.msdn.com/b/distributed...es-when-a-distributed-transaction-starts.aspx
     
  2. This definitely works in Win7. Hmmm, you've covered a lot of bases already but here are the ideas I have left:

    Are you running Active Directory or are these all local logins?

    All the software firewalls are disabled, how about other LAN hardware? Knowing you, there is a Layer 3 switch or a router somewhere in the mix here; is it configured to allow all LAN traffic between these IP's? Pretty sure that WMI, RPC, or DCOM all use TCP port 445.

    What's the status of the Remote Procedure Call service on all the PC's? DCOM Server Process Launcher service? Windows Management Instrumentation?

    Is anything being logged in the Event Viewer that gives you more info about the credentials it is using, etc.?

    Under Admin Tools > Component Services right click on My Computer and select the COM Security tab. As a test maybe Edit the Launch and Activation permissions to allow Everyone remote launch and activation? Doesn't seem likely since the Administrators group already has that access. You could also try explicitly adding the admin user rather than implicitly doing it through the group.
     
  3. #3 FalconFour, Mar 6, 2011
    Last edited by a moderator: Mar 6, 2011
    I appreciate a good geek... so much :laughing:

    Funny, because earlier tonight I had a friend check if his systems work right too... they didn't (access denied). I'll try those tips (and probably edit back with results), but... how's your system set up? Are they on a domain? Using homegroup? Any shares on the systems? Is UAC enabled or disabled?

    Strange, after that test I had my friend do, I had it pegged as a UAC issue (I leave UAC enabled on all my computers)... seems it was using the local user account without UAC virtualization, which doesn't have permission to access those things without UAC elevation. I can connect to Computer Management on the affected systems, but I can't open any of the functions (disk management, devmgmt, services, events, etc). If I go to Services directly and "connect to another computer", I just get "access denied" after a short delay.

    In the event log, I enabled audit-on-failure for all options in Local Security Policy, and the only entry in the security log after doing a "failed connect" is one failure to... well... denied access to *checks log*... OH MY GOD WTF, flood of "The Windows Filtering Platform has blocked a connection" events for Apache... damnit, I bet my website's been down all night! Probably because I disabled the Firewall service. Ugh. Anyway... denied access t--... great, the end of the log was cut off due to the 32,000+ Apache connections that were blocked over the past several hours. Thanks, Windows. :p Well, according to my Google history, it was "connect to service controller" and "enumerate services" that it was requesting. Curiously, it was the local system that was denied, which leads me to think it's a UAC thing...

    edit: Ohh, this is delightful. See attachment.

    edit edit: Hmm, I should probably dual-window this and answer all your questions one by one ;)
    Are you running active directory? No, no and no. I get enough of that at work ;)
    How about other LAN hardware? Eh, pretty basic setup: 2 5-port GbE switches in my bedroom, one 8-port GbE in the hall wiring closet, one 5-port GbE in the living room, then it gets complicated with 2 separate subnets to isolate my wireless DHCP from the site-wide "courtesy internet" provided by the complex... wired LAN is all static-IPv4 on the same Phy as all other computers in the building (manual subnet). Wireless isn't even used by me at home, but that's the primary network of the media center/server. Server (one of the PCs I tried) has one "leg" in each network, with its WLAN adapter being the primary connection (default gateway) and GbE LAN as a LAN-only (no GW) connection. Sadly, if Windows has 2 default GWs, it gets unpredictable, I wish I could give it a GW but keep it from using it. Come to think of it I guess I could manually give it a high metric ;) But that might be one potential problem, Windows considers the GbE LAN to be "Public" but I have the firewall disabled anyway. No routing between the two networks, just too much trouble to set up.
    RPC service? All systems go, otherwise I wouldn't have clipboard and I'd definitely notice that!
    DCOM Server Process Launcher? Running on laptop, running on server, pretty sure it was running on desktop too.
    WMI? Also running on both, to be not running on the desktop would've also been a red flag :)
    Event Viewer? See above.
    DCOM? Well on the ZBOX (server), it's working fine. The other PC is off and, well, don't want to boot it now because... my laptop you can see above, has a bit of a DCOM issue. I wonder if that was to blame for the laptop<->2 and 3 issues, and something else would be to blame for the other two (HomeGroup, maybe). I'll look into the DCOM thing...
     

    Attached Files:

  4. #4 FalconFour, Mar 6, 2011
    Last edited by a moderator: Mar 6, 2011
    The last few posts in this topic (using Easy Transfer from a good system, export Shared Windows Settings only, import on broken PC), worked to fix the DCOM issue, but I still... yeah, still can't access Services on ZBOX. :(

    Permission error when trying to access COM+ applications under Component Services

    edit: Fired up the desktop to check its DCOM... yep, working fine. Still fails in all directions though, tested all combinations. In every case, it always allowed me to "connect to another computer" in Computer Management, but it would hang for about 10 seconds then give me an error when I selected Services from the tree. Curious indeed.
    edit: Exact same behavior on a brand new Win7 x64 VM (that I got the Easy Transfer export from). Gonna try between that and a clone of itself... one sec.
     
  5. Hmm, my systems are on a domain with only the administrative c$, etc. shares. No printers, etc. shared either. UAC enabled at the lowest level. Win7 Pro x64 on both sides.

    I'm with you that UAC sounds like it might be the culprit; that would definitely make sense. I'm curious, if you run MMC as administrator does it also elevate access on the remote computer?
     
  6. Nope, CompMgmt can only be run as an admin so it auto-elevates. I tried launching it from an elevated command prompt, same story.

    Now here's a twist, though... I set up identical Win7 RTM x64 Home Premium virtual machines* and I saw exactly the same behavior there too. Very strange indeed. So it's definitely a stock Windows issue, but perhaps because you're on a domain, it gives you more control. I'll still be playing with this, but at least now we know it's not an issue with my computers (which are all SP1).

    * - and in the process of getting them to both run at the same time, I also resolved a bug in VMware Player that carried over from a VMware memory management issue in Win7 SP1 - so yay, now my Zbox can run my Virtual WHS without crapping out!
     
  7. I am a domain admin on the domain and that might be what's doing the trick. I hate when things don't work out of the box, it's ridiculous!

    At least you got VMware Player sorted out. There is an upside after all.
     
  8. Got it nailed. UAC.

    See, when UAC is enabled, the "admin user account" is not an admin. The system utilizes "UAC virtualization", which basically "RunAs"'s a process with elevated privileges as needed. Since network access uses the local user account, that's why you don't get (and never will get) share access to your Program Files and Windows folders.

    So, on the test virtual machines, I set them both to "Never prompt". Then rebooted. Then tested it. Both ways connected successfully to the Services manager. OK. So I enabled UAC on the first VM and left it off on the other, and rebooted. Now the second VM (UAC disabled) couldn't access the first (UAC enabled) anymore. But the first (enabled) could access the second (disabled). Pretty much nailed that one now.

    Still shocked that nobody has bothered trying this before, as evidenced by the lack of Google results... I guess there will be Google results now (congrats!) ;)
     

Share This Page