SBS 2003 SP 1/ISA 2004: WMI scripts don’t work (Part 1)

If you just upgraded to SBS 2003 SP1 with ISA 2004 and you use scripts on the SBS machine to monitor and control your client machines or member servers (such as the scripts you find at Technet Script Center), your scripts might not work any longer.
 
This problem is acute when you use WMI scripts (such as those from the famous Scriptomatic tool) to run against a remote machine and get information from it.  The scripts may give no results, or fail with a 0x800706ba error.
 
Scripts that you run on a workstation against your SBS machine may fail as well.
 
After running in circles for a month, I figured it out.  I’ll explain how I finally diagnosed this in my next post, but if you have this problem and just want to stop banging your head, here’s how to fix it:
 
On the SBS machine, open up ISA Server Management (if you don’t remember where it is, click Start/All Programs/Microsoft ISA Server/ISA Server Managment)
Find "Firewall Policy" on the left pane and right click it.  Select Edit System Policy.  The System Policy Editor should pop up.
 
Scroll down to Authentication Services and select it.  In the General tab, note the checkbox marked "Enforce strict RPC compliance".  Note the information balloon that reads:  "When ‘Enforce strict RPC compliance’ is not selected, additional RPC type protocols, such as DCOM, will be enabled." 
 
Bingo.
 
Uncheck "Enforce strict RPC compliance".  Click OK.  Note the bar on the top of the ISA console that prompts you to apply or discard your changes.  Click Apply.  Click OK.
 
Your WMI scripts should now work.
 
 
Advertisements

2 Comments on “SBS 2003 SP 1/ISA 2004: WMI scripts don’t work (Part 1)”

  1. Jeffrey says:

    Great find! Thanks for blogging this. I was also having difficulting getting this to work properly.

  2. mike says:

    THANK YOU (insert diety) FOR THIS BLOG!!!
     
    I spent 4 hours today trying to narrow down what was causing this. Eventually (read:3.5 hours later) I found the log entries and searched online for "allow rpc from isa server to trusted servers", and eventually found your posting.
     
    Thanks again,
     
    -Mike


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s