1

I have a small shop, around 25 WinXP SP3 clients, with a Win2008 domain controller. I’ve tried pretty much everything I can find in the community forums.

According to this page I’ve set the following Group Policy:

Computer Configuration/Administrative Templates/Network/Network Connections/Windows Firewall/Domain Profile:

Windows Firewall: Allow [incoming] remote administration exception

For good measure I’ve also set the following GP:

Windows Settings/Security Settings/Windows Firewall with Advanced Security/LDAP/Inbound Rules:
WMI (DCOM-In) - Allow - to any local / from any local
WMI (WMI-In) - Allow - to any local / from any local

My DNS tables look clean for all machines.

I have even tried running the line command to allow WMI on a local machine (something I am loath to do - I set up the domain so I could manage computers en masse rather than tweaking settings at each one):

c:> netsh firewall set service remoteadmin enable

That made no difference either.

What the h*** might be going on here? I’ve spent time on and off for months trying to get this to work and I’ve long since gone past the time when I could have compiled, on paper, the inventory data and other management information I need to have. And yet I soldier on. If I don’t find a solution by the end of April this has become a deal-breaker for me. I absolutely love the idea of the software and the community behind it but - gaaaaaah!

1 Spice up
2

What antivirus are you running? Do you have any additional security software installed like Microsoft’s Live OneCare?

3

Thanks. I’m running AVG Network Edition (that’s the paid centrally managed one, not the free one). I’ve implemented the following components:

  • Anti-virus
  • Anit-spyware
  • Anti-rootkit
  • E-Mail Scanner
  • License
  • Resident Shield (scans files as they are opened)
  • Update Manager
  • NOT the firewall

No other third-party firewall, only windows firewall.

No additional security software.

4

Have you tried connecting with the WMI tool from the SpiceWorks server? That is the best way to go. Don’t test SW until you know that WMI itself is working okay. You can test it really quickly with the snap-in.

There is no chance that you have a physical firewall between these machines, is there?

5

No firewall - all on the same physical and logical subnet, no VLANS or anything like that. I can Ping, VNC and Remote Desktop to all of them, from any of them, without routing.

I agree it appears to be a WMI problem and not a SW problem.

I’ve tried the whole c:> wmic /user … get serialnumber trick. That one leaves me a little puzzled. If I run it from my domain controller I get valid data back. If I run it from my desktop machine (where I have spiceworks loaded) with exactly the same credentials i get error messages.

Another interesting symptom: Go into Computer Management, right click the computer to Remote Connect, choose another machine. I can see everything - event logs, local users and groups, services, etc. - EXCEPT when I go to WMI control, right-click, and choose “Properties” I get:

Failed to connect to \COMPUTERNAME because “Win32: Access is denied.”

Again, this test actually succeeds from the domain controller, but not from another machine.

I’m not sure I understand what you mean by the WMI Tool, but I’m all about using it. I really want this to work, I’m just running out of ideas and time to futz with it.

Maybe I could just install SW on my DC, but the stubborn part of me wants to understand what’s going on.

6

I run my SpiceWorks on my DC. We aren’t big enough to segregate that much (our schedule puts us at 28 servers by midsummer) for SW to have its own machine.

Your problem is truly bizarre. The issue is definitely that WMI connection from your workstation. But I can’t imagine what would cause that.

7

Oho, I think I just found something. Per this article community.spiceworks.com/help/Troubleshooting_WMI I tried running dcomcnfg.exe from the commmand line of one of the clients. I got a popup from windows firewall asking me to allow or block access

  • conclusion: I don’t actually have DCOM ports allowed through firewall in GP yet.

further, none of the permissions were set up.

  • conclusion: I don’t have DCOM permissions set up either.

This still leaves me confused as to why I can connect from some machines but not others, but it still seems like progress.

So, how can I set up DCOM and it’s ports through GP?

8

I skimmed through this list of approved antivirus clients:

[ http://community.spiceworks.com/help/Anti-Virus_Support_In_Spiceworks%3F ]

and did not see yours listed. Does the DC have AV? Does your machine?

I would guess the DC does not, but your machine does.

Try uninstalling AVG from yours and a remote machine and test the scanning. (Although it sounds like WMI is working from the DC, so really you might only need to uninstall AV from your machine).

And I do mean uninstall not just “disable”. Disable is usually not really disable… though that makes absolutely no sense to me. :slight_smile:

9

Thanks, Ben.B

I looked at that page and it doesn’t really say those are compatible in the sense of “SW will function in this environment”, more like “SW will detect and report status on these AV packages”.

Further, it says, “NOTE: Spiceworks will work with any Anti-Virus Software that supports the Windows Security Center which was introduced in Windows XP SP2 and is available in all versions of Windows released after XP SP2”. AVG does work with the security center, and I’m on SP3 all around, so I should be good.

I’ll give your suggestion a try, but I have my doubts.

10

AV should not play a role here unless it has an integrated firewall. So we should be in the clear there.

The DCOM issue looks promising.

11

My focus here is network and process interference - and this can be caused by many different software packages.

  • Network traffic sniffers and
  • monitors,
  • firewalls,
  • security products, etc.

can interfere with Spiceworks ability to “get out” to the remote network on the ports that Spiceworks uses to inventory.

I see your point about the AV listings - if AVG is listed in the Security Center you should be set there… my issue is that the “package” deal is becoming more common. One where you are installing AV (but really its AV, personal firewall, and some sort of anti-spam).

I apologize, but I am not familiar with your version of AVG. If you know that it isn’t going to interfere on the network or process level you can skip this step. My view is that uninstalling is a much easier way to find out than setting up exemptions. :slight_smile:

Let me know what you find out. Usually at this point I would check the Windows services list to look for red flags like “network monitor” or the like.

12

Scot and Ben.B, thanks so much for your ongoing dialog.

The AVG I’m using has a firewall component that I tried and chose not to implement, so it’s low on my suspect list.

I’m focussing in on the DCOM issues. I think I’m getting somewhere. I found some GP entries that might make the difference. I’ll keep you-all posted.

13

I agree with you both about DCOM, although its curious that you get a Windows Firewall popup. I tested on my end and I do not get a popup from dcomcnfg.exe.

The possibly relevant entries in my Windows firewall exceptions list:

  • MMC
  • Network Diagnostics for XP
  • Remote Assistance/Desktop
  • spiceworks
  • spiceworks-finder

I wouldn’t rule out the AV until you know for sure that the other pieces of the package aren’t interfering.

14

Any updates on this issue?

15

Almost got it completely fixed (yay!) using some ideas from other sources as well as the forums here, but things got complicated and I’m not sure precisely which factor was key, or if it was all of them together. I’m going to work on breaking it again and will report back.

I’m at least sure it wasn’t the AV. That remained unchanged, and I can now talk to nearly every machine in the domain.

16

Awesome. Glad to hear that there has been progress. We will be interested to hear what the final problem turns out to have been.