Windows Server - Remote WMI scripting problems

Asked By lyot

20-Aug-07 02:34 PM

I am trying to create a back-up of event logs on remote computers in my
domain. So far, it has worked fine with the exception that it can only
retrieve the event logs from the LOCAL computer that it was run-on. As far as
I know, there are no firewalls configured to block this network traffic. Can
someone please help?

today = FormatDateTime(Now, vbLongDate)

Const ForReading = 1

Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objTextFile = objFSO.OpenTextFile("\TEXT FILE.txt", ForReading)

Do Until objTextFile.AtEndOfStream
strComputer = objTextFile.Readline

Set objFolder = objFSO.CreateFolder("NETWORK FOLDER" & strcomputer & "\" &
today & "\")

Set objWMIService = GetObject("winmgmts:" &

Set colLogFiles = objWMIService.ExecQuery ("SELECT * from
Win32_NTEventLogFile")

For Each objLogfile in colLogFiles
strBackupLog = objLogFile.BackupEventLog (objfolder & "\" &
objLogFile.LogFileName & ".evt")

Next

Loop

objTextFile.Close


Note: Anything with caps was an edit for this post.

20-Aug-07 09:27 PM

For maximum compatibility with all clients I use:

Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate,authenticationLevelPkt,(Backup)}!\\"
_
& strComputer & "\root\cimv2")

In addition, both computers must have WMI, you need administrator privileges
on the remote computer (usually, this means you are a member of the "Domain
Admins" group, which is a member of the local Administrators group), DCOM
cannot be disabled, WMI cannot be blocked, and you need network
connectivity. Also, when reading from a text file it is easy to have blank
lines (if a carriage return is added at the end for example), so I code to
skip blank lines. Because so many things can go wrong, I like to trap the
possible error when attempting to connect with WMI. For example:
==============
Do Until objTextFile.AtEndOfStream
strComputer = Trim(objTextFile.Readline)
' Skip blank lines.
If (strComputer <> "") Then
Set objFolder = objFSO.CreateFolder("NETWORK FOLDER" & strcomputer &
' Trap possible errors.
On Error Resume Next
Set objWMIService = GetObject("winmgmts:" _
&
& strComputer & "\root\cimv2")
If (Err.Number <> 0) Then
Call MsgBox("Failed to connect with WMI to " & strComputer _
& vbCrLf & "Error Number: " & Err.Number
& vbCrLf & "Description: " & Err.Description, _
vbOKOnly + vbCritical, "My Script Title")
' Restore normal error handling.
On Error GoTo 0
Else
' Restore normal error handling.
On Error GoTo 0
Set colLogFiles = objWMIService.ExecQuery ("SELECT * from
Win32_NTEventLogFile")

For Each objLogfile in colLogFiles
strBackupLog = objLogFile.BackupEventLog (objfolder & "\" &
objLogFile.LogFileName & ".evt")
Next
End If
Loop
===========
Also, WMI can become corrupt. Sometimes stopping and starting the WMI
service helps. Otherwise, see these links on troubleshooting WMI:

http://www.microsoft.com/technet/scriptcenter/topics/help/wmi.mspx

http://support.microsoft.com/kb/875605

--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--

20-Aug-07 09:41 PM

Some time ago I researched how to connect to remote computers with WMI and
found the following:

1. You cannot connect to computers running XP Home.
2. An NT computer cannot connect to OS later than W2k.
3. A W2k3 computer cannot connect to Win9x.
4. To connect to W2k Server SP4 you must set impersonation level to
Impersonate.
5. W2k computers must have SP2 to connect to XP or above.
6. W2k3 can only connect to Win9x and NT if credentials supplied.
7. To connect to XP or W2k3 you must set authentication level to Pkt.

I determined this before Vista came out, so I need to add to the list.

--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--

21-Aug-07 01:50 PM

Thank you for the help so far!
I tried adding in:
Set objWMIService = GetObject("winmgmts:" _ &
strComputer & "\root\cimv2")
For some reason it still failed to retrieve the event logs from remote
computers. Are there any other possible problems that could be causing this?
I'll try having another system administrator run it, in case they have
priviledges I'm not aware of, but is there any other potential cause to this
error?

21-Aug-07 06:21 PM

There are many things that can go wrong with WMI. Check the troubleshooting
links I posted earlier.

--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--

22-Aug-07 12:10 PM

It appears that the ".BackupEventLog" method does not like UNC or Network
shares, almost as if it exec's it with SYSTEM credentials.

22-Aug-07 12:42 PM

I suspect a privilege issue. I know this is common when backing up SQL
Server databases, where the actual backup process uses the server computer
credentials. I don't know how BackupEventLog works, but either you, the
client, or the remote computer needs backup privileges. I don't know if this
link helps:

http://msdn2.microsoft.com/en-us/library/aa390430.aspx

The privilege is called wbemPrivilegeBackup. I can't find better
documentation.

--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--

22-Aug-07 08:24 PM

Remote WMI automation uses account impersonation on the remote side.  The
impersonated account context on the remote side can access local (relative
to the remote WMI instance) file paths but not UNC paths (or any other kind
of remote resource) that requires a 2nd machine hop.

--
Michael Harris
MVP - Windows Server Admin Frameworks