Connection to SMS Provider Without Impersonation May Cause the Wrong User Groups to Be Retrieved

When you are using a program that does not set the WBEM security level to Impersonate (wbemImpersonationLevelImpersonate (3)) during a connection to the Systems Management Server (SMS) provider, the SMS provider may obtain the incorrect user groups to which that user belongs. The user may then have more or less access rights in a running SMS Administration console (or program that uses the SMS SDK) than is defined in the SMS Security rights.

The SMS Provider is incorrectly dealing with provider connections which are not setting the DCOM security level to Impersonate.

Service Pack Information

To resolve this problem, obtain the latest service pack for Microsoft Systems Management Server 2.0. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

Hotfix Information

A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem.

If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, submit a request to Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site: Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language. The hotfix originally provided for the problem that is described in this Microsoft Knowledge Base article is no longer available. The hotfix for the following Microsoft Knowledge Base article now supercedes it. For additional information, click the article number below to view the article in the Microsoft Knowledge Base: If you want to resolve the problem that is described in this article, you must install the hotfix for Microsoft Knowledge Base article Q324204.

To work around this problem, always set the WBEM authentication level to Impersonate in any program or script that connects to the SMS provider.

If you are using the WMI Scripting API, verify that the registry on the computer that is running the script has a default impersonation level set in the registry:

1. Start Registry Editor (Regedt32.exe).
2. Locate the Default Impersonation Level value under the following key in the registry:
   HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\Scripting
3. Verify that the REG_DWORD value is set to 0x3.
4. Quit Registry Editor.

If the SMS Service account has security rights in the SMS Administrator console by way of account or group membership, either remove or restrict the rights as it is the group membership for this account which may be incorrectly checked for access.

Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article. This problem was first corrected in Microsoft Systems Management Server 2.0 Service Pack 5.

How to Install the Hotfix

Apply this fix on all of the sites in the SMS hierarchy, including the SMS provider if it is located on a separate database server. To install the fix, use one of the following methods.

How to Use the Hotfix Installer

NOTE: You can use this method only on Intel-based computers.

1. Copy the hotfix folder structure to a local folder on your site server or to a share on your network. The I386 and Alpha subfolders are required; you must also download them from the Microsoft FTP site. It is important to keep the folder structure intact. The Q316258.exe file is a Microsoft Windows Installer file that updates specific files on your site server.
2. Log on to your site server by using an account with administrator rights.
3. On the site server, quit the SMS Administrator console.
4. Run the Q316258.exe file and follow the instructions in the wizard. The SMS services are stopped and restarted as part of the installation process.

How to Manually Install the Hotfix

1. Copy the update program file (Q316258.exe) and platform folders to a new folder. The folder structure must be such that the program file is located one folder "above" the platform folders.
2. Quit the SMS Administrator console and stop all SMS services in Control Panel. If the SMS_SITE_BACKUP service is running, stop it also.
3. If the SMS provider is located on a separate SQL server, also perform the steps that are associated with SMS provider de-registration, file replacement and re-registration on that server.
4. On the server on which the SMS provider is running, stop the Winmgmt service.
5. On the server on which the SMS provider is running, unregister the SMS Provider that is located in the SMS\BIN\platform folder by using the regsvr32 /u smsprov.dll command.
6. On the server on which the SMS provider is running, replace the Smsprov.dll file in the SMS\BIN\platform folder with the version that is located in the hotfix platform folder.
7. Replace the Basesvr.dll file in the SMS\BIN\platform folder with the version that is located in the hotfix platform folder.
8. Replace the Compmgr.exe file in the SMS\BIN\platform folder with the version that is located in the hotfix platform folder.
9. Replace the Cmprov.dll file in the SMS\BIN\platform folder with the version that is located in the hotfix platform folder.
10. On the server on which the SMS provider is running, register the SMS Provider DLL in the SMS\BIN\platform folder by using the regsvr32.exe smsprov.dll command.
11. On the server on which the SMS provider is running, start the Winmgmt service.
12. Restart the SMS site services.

Sample VbScript of how to set the WBEM authentication level when you connect to the SMS Provider: Before you install the hotfix, when a client tries to connect to the SMS provider without impersonation, you may receive the following entry in the SMS provider log (Smsprov.log): With the hotfix installed, the SMS provider will log the following in its log file. The SMS provider will not allow a connection without impersonation set.