CSS SQL Server Engineers

This is the official team Web Log for Microsoft Customer Service and Support (CSS) SQL Support. Posts are provided by the CSS SQL Escalation Services

WMI Provider Error: Access is denied. [0x80070005] from SQL Server Computer Manager

WMI Provider Error: Access is denied. [0x80070005] from SQL Server Computer Manager

  • Comments 7

 

When you attempt to change the Login Account for the SQL services [SQL Server, SQL Agent, Full Text, Analysis Services] from the SQL Server Computer Manager tool, you may encounter the following error message:

"WMI Provider Error"

"Access is denied. [0x80070005]"

 

This post is applicable for SQL Services installed as failover instances on Windows Clusters.

If this is the only operation [changing service startup account] that gives you this error and you can perform all other operations from Computer Manager, then verify the following:

 

-          When you setup SQL Server, you provided a domain group for cluster services

-          You need to make sure one of the following is true:

o   The Windows user account under which you are running the SQL Server Computer Manager has appropriate permission in the Active Directory to add the new service startup account to the domain group for cluster

o   The new service startup account is already added to the appropriate domain group for cluster. You can specify different domain groups for SQL Server, SQL Agent, Full Text, and Analysis Services. Make sure to add the appropriate service startup account to the correct domain group.

 

Basically this message is telling you that the SQL Computer Management WMI provider [sqlmgmprovider.dll] attempted to add the new service startup account to the domain group for cluster and it failed with this error.

 

You will notice the recommended steps for changing service startup accounts in a failover cluster are documented in the Knowledge Base article:

915846  Best practices that you can use to set up domain groups and solutions to problems that may occur when you set up a domain group when you install a SQL Server 2005 failover cluster

How to change the service account for a clustered service

To change the service account for a clustered service of SQL Server 2005, follow these steps:

1.

Add the new service account to the domain group of the clustered service.

2.

On one of the cluster nodes, use SQL Server Configuration Manager to change the service account to the new account.

You can actually see what is happening if you turn on the verbose WMI logs:

START >> ADMINISTRATIVE TOOLS >> COMPUTER MANAGEMENT >> SERVICES AND APPLICATIONS >> WMI CONTROL >> PROPERTIES >> LOGGING >> VERBOSE

      Change the Log max size to 1 MB

      Note down the location of the log files

      Save the changes and restart winmgmt service

The framework logs will show the following entries of interest:

 

GetNamespaceConnection: root\Microsoft\SqlServer\ComputerManagement  12/26/2008 11:33:53.883       thread:2684

CreateInstanceEnumAsync: SqlService - Succeeded 12/26/2008 11:33:53.883    thread:2684  

CWbemProviderGlue::Release, count is (approx) 6 12/26/2008 11:33:53.883    thread:2684  

CWbemProviderGlue::AddRef, count is (approx) 7  12/26/2008 11:33:56.352    thread:2684  

GetObjectAsync: SqlService.ServiceName="SQLAgent$SQLINST03",SQLServiceType=2      12/26/2008 11:33:56.352       thread:2684  

Impersonation running as: SURESHKADC\sureshka   12/26/2008 11:33:56.352    thread:2684  

GetObjectAsync: SqlService.ServiceName="SQLAgent$SQLINST03",SQLServiceType=2 - Succeeded 12/26/2008 11:33:57.180  thread:2684  

CWbemProviderGlue::Release, count is (approx) 6 12/26/2008 11:33:57.180    thread:2684  

CWbemProviderGlue::AddRef, count is (approx) 7  12/26/2008 11:34:16.461    thread:2684  

GetObjectAsync: SqlService.ServiceName="SQLAgent$SQLINST03",SQLServiceType=2      12/26/2008 11:34:16.461       thread:2684  

Impersonation running as: SURESHKADC\sureshka   12/26/2008 11:34:16.461    thread:2684  

Recognized __GET_EXT_KEYS_ONLY    12/26/2008 11:34:16.461    thread:2684  

GetObjectAsync: SqlService.ServiceName="SQLAgent$SQLINST03",SQLServiceType=2 - Succeeded 12/26/2008 11:34:17.305  thread:2684  

CWbemProviderGlue::Release, count is (approx) 6 12/26/2008 11:34:17.305    thread:2684  

CWbemProviderGlue::AddRef, count is (approx) 7  12/26/2008 11:34:17.305    thread:2684  

ExecMethodAsync: SqlService.ServiceName="SQLAgent$SQLINST03",SQLServiceType=2.SetServiceAccount 12/26/2008 11:34:17.305  thread:2684  

Impersonation running as: SURESHKADC\sureshka   12/26/2008 11:34:17.305    thread:2684  

ExecMethodAsync: SqlService.ServiceName="SQLAgent$SQLINST03",SQLServiceType=2.SetServiceAccount - FAILED (80070005)    12/26/2008 11:34:18.352    thread:2684  

CWbemProviderGlue::Release, count is (approx) 6 12/26/2008 11:34:18.352    thread:2684  

 

Here you will be able to notice

-          What is the Windows user credentials under which the operation is being performed

-          What specific WMI call failed

-          What was the return code

 

After this you can debug the SetServiceAccount method in the provider and find out the exact step where it fails. This requires the use of Windows Debugger and symbols for the provider.

 

This whole concept applies to the setup process also and is well documented in the Books Online topic: Domain Groups for Clustered Services.

The domain groups should have the appropriate service accounts added to them. If the service accounts are not members of the appropriate domain groups at the time Setup is run, Setup will attempt to add them. In this case, the account under which Setup is running must have adequate privileges to add accounts to the domain groups. If SQL Server Setup is run under an account that does not have permission to add users to the domain groups, the users must already be members of the appropriate group.

 

You can refer to the following article for more information about how the SQL Computer Manager interacts with WMI.

941823  Some or all SQL Server 2005 services are not listed in SQL Server Configuration Manager, or you receive a "No SQL Server 2005 components were found" error message when you perform operations in SQL Server 2005 Surface Area Configuration

 

Thanks

Suresh B. Kandoth

SQL Server Escalation Services

 

Leave a Comment
  • Please add 8 and 3 and type the answer here:
  • Post
  • PingBack from http://www.codedstyle.com/wmi-provider-error-access-is-denied-0x80070005-from-sql-server-computer-manager/

  • I get this error on a standalone server.  There is no domain administrator, because there is no domain.  Also, there is no "Logging" tab under the WMI properties.

    Could someone help?

  • BTW, I am setting up SQL Server 2008 on Windows Server 2008.

  • Have turned on WMI logging in registry, but the log is not much help.

  • Sarah noticed that browsing for the user name and clicking on Check Names

    before going back to the panel to change the passwords fixed the problem.

    The problem was that the user name text box contained ".\SQLServerAccount"

    and the "." was being used as the computer name or domain name by WMI

    when trying to change the password of that account.

    The fix is to remove the ".\" in front of the user name before

    trying to change the passwords.

    Something should eventually be done about this in the SQL Server code to remove the "."

    or the WMI code to deal with a "."

  • I am using SQL 2008 on a local machine.

    From the SQL Server 2008 BOL, I am using the following  (Copy/pasted from the BOL):

    ---

    CREATE DATABASE Archive

    ON

    PRIMARY ( NAME = Arch1,

       FILENAME = 'c:\data\archdat1.mdf'),

    FILEGROUP FileStreamGroup1 CONTAINS FILESTREAM( NAME = Arch3,

       FILENAME = 'c:\data\filestream1')

    LOG ON  ( NAME = Archlog1,

       FILENAME = 'c:\data\archlog1.ldf')

    GO

    ---

    Im logged in as Admin.

    C:\Data exists and all users have full control on this folder.

    I am getting the error:

    Unable to open the physical file "c:\data\filestream1". Operating system error -2147024891: "0x80070005(Access is denied.)".

    What can be problems?

  • May need to verify agains the case (ie upper or lower or mixed) of the login name used. Then match it on the login account name. Then it should allow for the password change.

Page 1 of 1 (7 items)