Evaluation Error on all 'Windows Log' policies

Dec 19, 2011 at 11:38 PM

I have successfully configured EPM to monitor my five SQL servers (two 2005 and three 2008) and have started reviewing the failed policies.  There is one problem I'm having:  ALL the policies within the 'Best Practices: Windows Log' have errored out.  When I connect to my SQL 2008 development server using either my personal account or the service account I use to own the EPM installation, the individual policies work.  But when I run the agent job that executes the powershell script, all the Windows Log policies error out.  Any recommendation of how to track down the problem would be greatly appreciated.

Here's the error trace:

 

Database Compliance 
Evaluation Error Detail 
  
Policy Name 

Windows Event Log System Failure Error 

Policy Target Server   vmdev-app2 
  
Microsoft.SqlServer.Management.Dmf.PolicyEvaluationException: 
Exception encountered while executing policy Windows Event Log System Failure Error.
---> Microsoft.SqlServer.Management.Dmf.DmfException: An error has occurred while accessing WMI: root\CIMV2.
---> System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation.
---> System.Management.ManagementException: Access denied <!--?char 13?-->
at System.Management.ManagementException.ThrowWithExtendedInfo(ManagementStatus errorCode)<!--?char 13?-->
at System.Management.ManagementScope.InitializeGuts(Object o)<!--?char 13?-->
at System.Management.ManagementScope.Initialize()<!--?char 13?-->
at System.Management.ManagementObjectSearcher.Initialize()<!--?char 13?-->
at System.Management.ManagementObjectSearcher.Get()
<!--?char 13?--> --- End of inner exception stack trace ---<!--?char 13?-->
at System.RuntimeMethodHandle._InvokeMethodFast(Object target, Object[] arguments, SignatureStruct& sig, MethodAttributes methodAttributes, RuntimeTypeHandle typeOwner)<!--?char 13?-->
at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture, Boolean skipVisibilityChecks)<!--?char 13?-->
at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)<!--?char 13?--> at Microsoft.SqlServer.Management.Dmf.ExpressionNodeFunction.EvaluateExecuteWqlScalar()<!--?char 13?-->
--- End of inner exception stack trace ---<!--?char 13?-->
at Microsoft.SqlServer.Management.Dmf.ExpressionNodeFunction.EvaluateExecuteWqlScalar()<!--?char 13?-->
at Microsoft.SqlServer.Management.Dmf.ExpressionNodeFunction.DoEvaluate(FacetEvaluationContext context, Boolean checkSqlScriptAsProxy)<!--?char 13?-->
at Microsoft.SqlServer.Management.Dmf.ExpressionNodeFunction.GetParameters(FacetEvaluationContext context, Function funcType, Boolean checkSqlScriptAsProxy)
<!--?char 13?--> at Microsoft.SqlServer.Management.Dmf.ExpressionNodeFunction.DoEvaluate(FacetEvaluationContext context, Boolean checkSqlScriptAsProxy)
<!--?char 13?--> at Microsoft.SqlServer.Management.Dmf.ExpressionNodeOperator.DoEvaluate(FacetEvaluationContext context, Boolean checkSqlScriptAsProxy)<!--?char 13?-->
at Microsoft.SqlServer.Management.Dmf.Condition.Evaluate(Object target, AdHocPolicyEvaluationMode evaluationMode)<!--?char 13?-->
--- End of inner exception stack trace ---

Dec 22, 2011 at 8:21 PM

Below are the steps the Microsoft support came up with to rectify the problem.  They must be run on each remote server that the EPM connects to.

Start > Run > wmimgmt.msc

In the tree view on the left, right-click on WMI Control (Local) and select Properties.

Click on the Security tab, expand the tree and click on CIMV2 to highlight it.

Click on the Security button.

Click Add, type in the name of the domain account that the job runs under ("APACORP\svcsql_2008epm" in my case) and click on Check.Names.

Click OK. Now grant svcsql_2008 additional access by putting a checkmark in “Execute Methods”, “Full Write”, “Partial Write”, “Provider Write”, “Remote Enable” and “Read Security”. Make sure that “Edit Security” remains unchecked.  Click Apply and OK.

Repeat the same steps for the “ms_409” branch directly under CIMV2:

Click on ms_409 > Security > Add > APACORP\svcsql_2008epm (or whatever your account is) > Check Names > OK > Checkmarks on Execute Methods, Full Write, Partial Write, Provider Write, Enable Account (checked by default), Remote Enable and Read Security. Make sure Edit Security is not checked. Click Apply > OK > OK.

The grants to the WMI is now complete, close the WMI management console.

 

The next step is to grant access to DCOM.

Click Start > Run > DCOMCNFG > OK.

In the treeview on the left, expand Component Services, expand Computers, and then right-click My Computer and click Properties.

In the My Computer Properties dialog box, click the COM Security tab.

Under Launch and Activation Permissions, click Edit Limits to open the “Launch and Activation Permissions” dialog box.

Click Add and enter “svcsql_2008EPM” (our whatever your account is) and click Check Names then click OK

Leave the Allow check on “Local Launch” and place checks on “Remote Launch” and “Remote Activation” as well. Click OK when done.

Click Apply and OK. Close the component service application as DCOM security changes are now complete.

 

Testing

To test the security changes, connect to server running the EPM using the svcsql_2008EPM account and select Start > Run > wbemtest

Click the Connect button in the upper right-hand corner. In the Namespace field, append the server name to the beginning so that it appears as: \\app-srv25\root\cimv2

Click Connect.

All the buttons should be active (i.e. not grayed out). Click on Query and enter the following:

select EventCode from Win32_NTLogEvent where EventCode=55 and Logfile="System"

The query should not retrieve any data but should complete with a status of “Done”

Click Close and Exit to finish with the Windows Management Instrument Tester.

 

Re-run the EPM data collection job - the Windows Log policies will no longer complete with an error.

Ken