Export (0) Print
Expand All
7 out of 12 rated this helpful - Rate this topic

Connecting Between Different Operating Systems

You can create a remote connection between most operating system versions. However, in the basic remote connection scenario where Computer A connects to a WMI namespace on Computer B, the target Computer B may require higher levels of security.

Note  Content in this topic applies to operating systems earlier than Windows Vista. For more information, see Connecting to WMI Remotely Starting with Vista.

The following sections are discussed in this topic:

Connecting Between Operating Systems

Computer A connects to a WMI namespace on Computer B

Only domain accounts in the Administrators group can establish a connection to a remote WMI computer namespace in a domain. The target computer requires certain settings for impersonation and authentication levels to accept a remote connection.

The following VBScript code example shows how to set the authentication level to Pkt.

Set objWMIService = GetObject("winmgmts:" _
   & "{authenticationLevel=Pkt}!\\" _
   & "ComputerB" _
   & "\root\cimv2")

For more information about setting authentication and impersonation levels, see Setting the Default Process Security Level Using VBScript and Constructing a Moniker String.

The following VBScript code example obtains the computer up time from a remote computer named "RemoteXPMachine". The "\\" required before the remote computer name is added by the script following the impersonation level setting.

Set dtmConvertedDate = CreateObject("WbemScripting.SWbemDateTime")
strComputer = "RemoteXPMachine"
Set objWMIService = GetObject("winmgmts:" _
    & "{impersonationLevel=Impersonate," _
    & "authenticationLevel=Pkt}!\\" _
    & strComputer & "\root\cimv2")
Set colOperatingSystems = objWMIService.ExecQuery _
    ("Select * from Win32_OperatingSystem")
For Each objOS in colOperatingSystems
    dtmConvertedDate.Value = objOS.LastBootUpTime
    dtmLastBootUpTime = dtmConvertedDate.GetVarDate
    dtmSystemUptime = DateDiff("d", dtmLastBootUpTime, Now)
Wscript.Echo dtmSystemUptime 
Next

For more information and examples of setting impersonation and authentication in WMI, see Creating a WMI Script or Creating a WMI Application Using C++.

DCOM Impersonation and Authentication Settings

WMI has default DCOM impersonation, authentication, and authentication service (NTLM or Kerberos) settings that the target computer (Computer B) in a remote connection requires. Computer A may use different defaults that Computer B does not accept. You can change these settings in the connection call. For more information, see Setting Client Application Process Security. However, for the authentication service, it is recommended that you specify RPC_C_AUTHN_DEFAULT and allow DCOM to choose the appropriate service for the target computer.

You can supply settings in parameters for the calls to CoInitializeSecurity or CoSetProxyBlanket in C++. In scripts, you can establish security settings in calls to SWbemLocator.ConnectServer, in an SWbemSecurity object, or in the scripting moniker string. For a list of all the C++ impersonation constants, see Setting the Default Process Security Level Using C++. For the Visual Basic constants and scripting strings for using the moniker connection, see Setting the Default Process Security Level Using VBScript.

The following table lists the default DCOM impersonation, authentication, and authentication service settings required by the target computer (Computer B) in a remote connection. For more information, see Securing a Remote WMI Connection.

Computer B operating systemImpersonation level scripting stringAuthentication level scripting stringAuthentication service
Windows XP ProfessionalImpersonatePktKerberos
Windows Server 2003ImpersonatePktKerberos
Windows VistaImpersonatePktKerberos

 

WMI remote connections are affected by User Account Control (UAC) and Windows Firewall. For more information, see Connecting to WMI Remotely Starting with Vista and Connecting Through Windows Firewall.

Windows Server 2003 and Windows XP with SP2:  Remote connections are affected by Windows Firewall and DCOM settings but User Account Control does not exist.

Be aware that connecting to WMI on the local computer has a default authentication level of PktPrivacy.

Failure to Connect

The following connections between operating system versions are not supported:

  • You cannot connect to a computer that is running Windows XP Home Edition.

You may be trying to connect to a namespace which requires an encrypted connection, one that requires an authentication level of pktPrivacy, WbemAuthenticationLevelPktPrivacy, or RPC_C_AUTHN_LEVEL_PKT_PRIVACY. For more information, see Securing WMI Namespaces, Securing C++ Clients and Providers, or Setting the Default Process Security Level Using VBScript.

Time-out on Connection

When connecting to WMI through a call to SWbemLocator.ConnectServer or IWbemLocator::ConnectServer, you can set the wbemConnectFlagUseMaxWait flag (scripting) or the WBEM_FLAG_CONNECT_USE_MAX_WAITin C++ value to 128 (0x80) to impose a two (2) minute time-out on the call.

Related topics

Securing a Remote WMI Connection
Connecting to a 3rd Computer-Delegation
Connecting Through Windows Firewall
Creating Processes Remotely
Securing C++ Clients and Providers
Securing Scripting Clients

 

 

Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft. All rights reserved.