Aug 26 2019 06:34 PM
Aug 26 2019 06:34 PM
I've enabled PSRemoting on a number of servers. And I can connect to them with my Domain Admin credentials without issues.
When I try to connect to that server with the local admin credentials I get an access denied.
I can enter a pssession with my credentials to that server. (so PSRemoting is configured and working on this server)
I can enter a pssession with my credentials to another server.
I can enter a pssession with local admin credentials to another server. (I have the localadmin credentials correct and using them correctly)
I cannot enter a pssession with local admin credentials to that server.
I have been through the about_remote_troubleshooting help topic, nothing seems relevant.
I've checked the PSSessionConfiguration and it says that Builtin\Administrators are allowed, and I have checked the local group of the admin account and it is a member of the Administrators group.
I have checked the local admins password using System.DirectoryServices.AccountManagement.PrincipleContext().ValidateCredentials() and verified that it is correct.
I believe there is a misconfiguration on the server but don't know where to find it.
Can someone help?
Aug 29 2019 04:39 AM
I suggest you check this registry key value:
What account are you using?
Make sure the credentials you are using are a member of the target server's local administrators group. In some cases, WinRM also requires membership in the Remote Management Users group. If you are using a local user account that is not the built-in administrator account, you will need to enable the policy on the target machine by running the following command in PowerShell or at a Command Prompt as Administrator on the target machine:
REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1
Aug 29 2019 06:42 PM
I've read that page and the local Administrator on the target machine is a member of the builtin administrators group.
Which cases does it need remote management group and how do I find this out?
Is there a log showing "this user attempted to login and I denied them because..."
I've read through the remote troubleshooting and I can't see anything incorrect with the setup, the groups are setup the same between the working and non working server but I can't work out what is wrong.
Jan 29 2021 04:18 AM
@objectclass Unfortunately I had forgotten about this, I can't even remember which server I was having the issue with. I have a vague memory of something specific to that account on that machine, and adding another account, or putting a domain user into the Administrators group was the work around. I'm guessing that as I've forgotten about it, that I did manage to work around it.