Forum Discussion

gtvmark's avatar
gtvmark
Copper Contributor
Aug 27, 2019

Local Administrator PSSession Access denied

I've enabled PSRemoting on a number of servers.  And I can connect to them with my Domain Admin credentials without issues.

 

When I try to connect to that server with the local admin credentials I get an access denied.  

 

I can enter a pssession with my credentials to that server. (so PSRemoting is configured and working on this server)

I can enter a pssession with my credentials to another server. 

I can enter a pssession with local admin credentials to another server. (I have the localadmin credentials correct and using them correctly)

I cannot enter a pssession with local admin credentials to that server.

 

I have been through the about_remote_troubleshooting help topic, nothing seems relevant.

I've checked  the PSSessionConfiguration and it says that Builtin\Administrators are allowed, and I have checked the local group of the admin account and it is a member of the Administrators group.

I have checked the local admins password using System.DirectoryServices.AccountManagement.PrincipleContext().ValidateCredentials() and verified that it is correct.

I believe there is a misconfiguration on the server but don't know where to find it.

Can someone help?

 

  • Shivtorov's avatar
    Shivtorov
    Copper Contributor

    I suggest you check this registry key value:

     

    https://docs.microsoft.com/en-us/windows-server/manage/windows-admin-center/support/troubleshooting#using-windows-admin-center-in-a-workgroup

     

    What account are you using?

    Make sure the credentials you are using are a member of the target server's local administrators group. In some cases, WinRM also requires membership in the Remote Management Users group. If you are using a local user account that is not the built-in administrator account, you will need to enable the policy on the target machine by running the following command in PowerShell or at a Command Prompt as Administrator on the target machine:

     

    REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1

    • gtvmark's avatar
      gtvmark
      Copper Contributor

      Shivtorov 

      I've read that page and the local Administrator on the target machine is a member of the builtin administrators group. 

       

      Which cases does it need remote management group and how do I find this out?

       

      Is there a log showing "this user attempted to login and I denied them because..."

       

      I've read through the remote troubleshooting and I can't see anything incorrect with the setup,  the groups are setup the same between the working and non working server but I can't work out what is wrong.

Resources