Access Denied - get-wmiobject win32_service (Powershell)

Question

11/13/2013 11:35:37 TRCW1 using local computer 11/13/2013 11:35:37 TRCE1 System.Management.ManagementException: Access denied at System.Management.ManagementException.ThrowWithExtendedInfo(ManagementStatus errorCode) at System.Management.ManagementObjectCollection.ManagementObjectEnumerator.MoveNext() at Microsoft.PowerShell.Commands.GetWmiObjectCommand.BeginProcessing()

Code (inside a loop of server names):

$error.clear()  #clear any prior errors, otherwise same error may repeat over-and-over in trace 
if ($LocalServerName -eq $line.ServerName)
    {
       # see if not using -ComputerName on local computer avoids the "service not found" error 
       Add-Content $TraceFilename "$myDate TRCW1 using local computer " 
       $Service = (get-wmiobject win32_service -filter "name = '$($line.ServiceName)'")
    }
else 
    {
       Add-Content $TraceFilename "$myDate TRCW2 using remote computer $($line.ServerName) not eq $LocalServerName" 
       $Service = (get-wmiobject win32_service -ComputerName $line.ServerName -filter "name = '$($line.ServiceName)'")
    }

if ($error -ne $null) 
{
    Write-Host "----> $($error[0].Exception) " 
    Add-Content $TraceFilename "$myDate TRCE1 $($error[0].Exception)" 
}

I'm reading a CSV of server names. I finally added the exception logic, to find I'm getting an "Access Denied". This was only happening on the local server. Seems almost backwards, the local server fails, whereas the remote servers work fine. I even changed logic to test to see if it was the local server, then tried leaving off the -ComputerName parms on the WMI (as shown in code above), and still getting error.

So far, my research shows the answer may lie with

set-item trustedhosts

But my main question is whether trustedhosts is applicable to local servers, or only remote servers. Wouldn't a computer always trust itself? Does it still use remoting to talk to itself?

This server apparently was part of a cluster a long time before I got here, and now it's not. I'm also suspicious of that.

When I run interactively the script works fine, it's only when I schedule it and run it under a service account that it fails with the access denied. The Service Account is local Admin on that box.

I'm using get-wmiobject win32_service instead of get-service because it returns extra info I need to lookup the process, and date/time the service was started using another WMI call.

Running on Win 2008/R2.

Below Update 11/13/2013 5:27Pm

I have just verified that the problem happens on more than one server. [I took the scripts and ran them on another server.] My CSV input includes a list of servers to monitor. The ones outside of my own server always return results. The ones to my own server, that omit the -ComputerName fail. (I have tried with and without the -ComputerName parm for the local server).

Answer 1

Are you running the script "as administrator" (UAC)? When your credentials are calculated for your local instance if you have UAC enabled and you didn't run it "as administrator" it removes the local administrator security token. Connecting to a different machine over the network, A) it completely bypasses UAC, and B) when the target evaluates your token, the group memberships you're in are fully evaluated and thus you get "administrator" access.

Probably unrelated, but I've just run across two 2008 R2 servers out of 10 on my system that reject THE FIRST performance criteria that I'm collecting, but only when it's running as a scheduled task. If I run it interactively it works at least 95% of the time. I'm collecting Disk Seconds/Read and Seconds/Write, so it's the reads that don't show, for these two servers only. I flipped the order and what do you know, the Writes don't report. I just added one drive Seconds/Transfer as a sacrificial lamb to the start of my criteria list, and VOILA now I don't get ACCESS DENIED to the reads and writes.

$counterlist = @("\$server\PhysicalDisk(0*)\Avg. Disk sec/Transfer", "\$server\PhysicalDisk()\Avg. Disk sec/Read", "\$server\PhysicalDisk()\Avg. Disk sec/Write")

$counters = $counterlist | Get-Counter

(not sure how to edit this, but there are asterisks in between the parenthesis after physicaldisk...)