You may receive an "Access is denied" error message when you try to query some WMI objects on a Windows Server 2003 Service Pack 1-based domain controller

You try to query some Windows Management Instrumentation (WMI) objects on a Microsoft Windows Server 2003 Service Pack 1 (SP1)-based domain controller. If you are not logged on to Windows Server 2003 as an administrator, you may receive an "Access is denied" error message. For example, when you use the Ultrasound tool to try to collect information from a Windows Server 2003 SP1-based domain controller, you may receive an error message that is similar to the following:

This issue occurs because Windows Server 2003 SP1 adds some new DCOM security features. These new features provide maximum security access to DCOM objects that are based in the new "Distributed COM Users" group. This group is a built-in group. Because all domain controllers in a domain share all the built-in groups, Windows Server 2003 SP1 does not add this group on each domain controller that is installed in the domain. Windows Server 2003 SP1 adds the new built-in group only on a Windows Server 2003 SP1-based primary domain controller (PDC).

To resolve this issue, make sure that you install Windows Server 2003 SP1 on the PDC first. When you do this, WMI queries do not stop working when you install Windows Server 2003 SP1 on other domain controllers.

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

Ultrasound monitoring is based on the WMI provider. The WMI provider queries a DCOM object. If the monitoring box does not have rights to access the DCOM object, the queries fails.

For more information, click the following article number to view the article in the Microsoft Knowledge Base: