Local Administrator PSSession Access denied

%3CLINGO-SUB%20id%3D%22lingo-sub-823802%22%20slang%3D%22en-US%22%3ELocal%20Administrator%20PSSession%20Access%20denied%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-823802%22%20slang%3D%22en-US%22%3E%3CP%3EI've%20enabled%20PSRemoting%20on%20a%20number%20of%20servers.%26nbsp%3B%20And%20I%20can%20connect%20to%20them%20with%20my%20Domain%20Admin%20credentials%20without%20issues.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20I%20try%20to%20connect%20to%20that%20server%20with%20the%20local%20admin%20credentials%20I%20get%20an%20access%20denied.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20can%20enter%20a%20pssession%20with%20my%20credentials%20to%20that%20server.%20(so%20PSRemoting%20is%20configured%20and%20working%20on%20this%20server)%3C%2FP%3E%3CP%3EI%20can%20enter%20a%20pssession%20with%20my%20credentials%20to%20another%20server.%26nbsp%3B%3C%2FP%3E%3CP%3EI%20can%20enter%20a%20pssession%20with%20local%20admin%20credentials%20to%20another%20server.%20(I%20have%20the%20localadmin%20credentials%20correct%20and%20using%20them%20correctly)%3C%2FP%3E%3CP%3EI%20cannot%20enter%20a%20pssession%20with%20local%20admin%20credentials%20to%20that%20server.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20been%20through%20the%20about_remote_troubleshooting%20help%20topic%2C%20nothing%20seems%20relevant.%3C%2FP%3E%3CP%3EI've%20checked%26nbsp%3B%20the%20PSSessionConfiguration%20and%20it%20says%20that%20Builtin%5CAdministrators%20are%20allowed%2C%20and%20I%20have%20checked%20the%20local%20group%20of%20the%20admin%20account%20and%20it%20is%20a%20member%20of%20the%20Administrators%20group.%3C%2FP%3E%3CP%3EI%20have%20checked%20the%20local%20admins%20password%20using%26nbsp%3BSystem.DirectoryServices.AccountManagement.PrincipleContext().ValidateCredentials()%20and%20verified%20that%20it%20is%20correct.%3C%2FP%3E%3CP%3EI%20believe%20there%20is%20a%20misconfiguration%20on%20the%20server%20but%20don't%20know%20where%20to%20find%20it.%3C%2FP%3E%3CP%3ECan%20someone%20help%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-823802%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EWindows%20PowerShell%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-828863%22%20slang%3D%22en-US%22%3ERe%3A%20Local%20Administrator%20PSSession%20Access%20denied%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-828863%22%20slang%3D%22en-US%22%3E%3CP%3EI%20suggest%20you%20check%20this%20registry%20key%20value%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-server%2Fmanage%2Fwindows-admin-center%2Fsupport%2Ftroubleshooting%23using-windows-admin-center-in-a-workgroup%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-server%2Fmanage%2Fwindows-admin-center%2Fsupport%2Ftroubleshooting%23using-windows-admin-center-in-a-workgroup%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EWhat%20account%20are%20you%20using%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EMake%20sure%20the%20credentials%20you%20are%20using%20are%20a%20member%20of%20the%20target%20server's%20local%20administrators%20group.%20In%20some%20cases%2C%20WinRM%20also%20requires%20membership%20in%20the%20Remote%20Management%20Users%20group.%20If%20you%20are%20using%20a%20local%20user%20account%20that%20is%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3Enot%20the%20built-in%20administrator%20account%3C%2FSTRONG%3E%3CSPAN%3E%2C%20you%20will%20need%20to%20enable%20the%20policy%20on%20the%20target%20machine%20by%20running%20the%20following%20command%20in%20PowerShell%20or%20at%20a%20Command%20Prompt%20as%20Administrator%20on%20the%20target%20machine%3A%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EREG%20ADD%20HKLM%5CSOFTWARE%5CMicrosoft%5CWindows%5CCurrentVersion%5CPolicies%5CSystem%20%2Fv%20LocalAccountTokenFilterPolicy%20%2Ft%20REG_DWORD%20%2Fd%201%3C%2FSTRONG%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-830564%22%20slang%3D%22en-US%22%3ERe%3A%20Local%20Administrator%20PSSession%20Access%20denied%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-830564%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F63749%22%20target%3D%22_blank%22%3E%40Mikhail%20Shivtorov%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI've%20read%20that%20page%20and%20the%20local%20Administrator%20on%20the%20target%20machine%20is%20a%20member%20of%20the%20builtin%20administrators%20group.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhich%20cases%20does%20it%20need%20remote%20management%20group%20and%20how%20do%20I%20find%20this%20out%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20a%20log%20showing%20%22this%20user%20attempted%20to%20login%20and%20I%20denied%20them%20because...%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI've%20read%20through%20the%20remote%20troubleshooting%20and%20I%20can't%20see%20anything%20incorrect%20with%20the%20setup%2C%26nbsp%3B%20the%20groups%20are%20setup%20the%20same%20between%20the%20working%20and%20non%20working%20server%20but%20I%20can't%20work%20out%20what%20is%20wrong.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

I've enabled PSRemoting on a number of servers.  And I can connect to them with my Domain Admin credentials without issues.

 

When I try to connect to that server with the local admin credentials I get an access denied.  

 

I can enter a pssession with my credentials to that server. (so PSRemoting is configured and working on this server)

I can enter a pssession with my credentials to another server. 

I can enter a pssession with local admin credentials to another server. (I have the localadmin credentials correct and using them correctly)

I cannot enter a pssession with local admin credentials to that server.

 

I have been through the about_remote_troubleshooting help topic, nothing seems relevant.

I've checked  the PSSessionConfiguration and it says that Builtin\Administrators are allowed, and I have checked the local group of the admin account and it is a member of the Administrators group.

I have checked the local admins password using System.DirectoryServices.AccountManagement.PrincipleContext().ValidateCredentials() and verified that it is correct.

I believe there is a misconfiguration on the server but don't know where to find it.

Can someone help?

 

2 Replies
Highlighted

I suggest you check this registry key value:

 

https://docs.microsoft.com/en-us/windows-server/manage/windows-admin-center/support/troubleshooting#...

 

What account are you using?

Make sure the credentials you are using are a member of the target server's local administrators group. In some cases, WinRM also requires membership in the Remote Management Users group. If you are using a local user account that is not the built-in administrator account, you will need to enable the policy on the target machine by running the following command in PowerShell or at a Command Prompt as Administrator on the target machine:

 

REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1

Highlighted

@Mikhail Shivtorov 

I've read that page and the local Administrator on the target machine is a member of the builtin administrators group. 

 

Which cases does it need remote management group and how do I find this out?

 

Is there a log showing "this user attempted to login and I denied them because..."

 

I've read through the remote troubleshooting and I can't see anything incorrect with the setup,  the groups are setup the same between the working and non working server but I can't work out what is wrong.