locked
winrm error: access denied RRS feed

  • Question

  • Hi,

    I want to use winrm. I have Windows 7 installed and configure it for workgroup not domain.

    Each simple winrm command leads to the error message:   Access is denied


    Mr. google and several forums told me to:

    * execute the winrm command just with having administrator rights
    * to create the DWORD LocalAccountTokenFilterPolicy  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System] and set to 1
    * Use Local Security Settings (Secpol.msc) to change the setting of the
         "Network Access: Sharing and security model for local accounts" policy
         in Security Settings\Local Policies\Security Options to "Classic".
    * administrator must have a non blank password
    * first execute      winrm quickconfig


    I did all those hints. Unfortunatly I still recieve the error "Access is denied" for each even simple winrm command.

    I need WinRm, I have to fix the problems under my Windows 7. It must work.

    Please help me and tell me what else must be done, to get it running.

        In advance thanks a lot
             
    • Moved by John Boylan Friday, January 4, 2013 7:35 PM (From:.NET Remoting and Runtime Serialization)
    Tuesday, March 23, 2010 4:10 PM

Answers

  • The administrator account used for the console must have a non blank password.

    With such an administrator account the problem is solved.
    Tuesday, June 15, 2010 2:42 PM

All replies


  • Here seems to be a part for solving my problem:

    *********************************************************************************************
    http://srvcore.wordpress.com/2010/01/02/domain-controllers-warning-event-id-10154/
    .....
    Since that WinRM runs under “Network Service” account, I was able to fix this warning by
    granting the  “Validated Write to Service Principal Name” permission to the NETWORK SERVICE
    using the ADSIEDIT.msc.
    ....
    *********************************************************************************************

    Unfortunatly I don't have the ADSIEDIT.msc. This seems to be a program on Windows 200x Server.
    Right?

    Is this just a solution for computers, which are part of a domain?
    Isn't there also a solution for computers, which are part of a workgroup?
    How can I add the required permission to the "network service" account, using another tool
     (regedit, editor, ...)?

    -----

    My following workarround attempt failed:

    I stopped the Windows-Remote (ws-managment) service. I changed the loggon user account of this
    service from "network service" account to the "local administrator" account. I started the service
    aggain. I got the following error message:

    Windows could not start the Windows Remoteverwaltung
    (WS-Verwaltung) on local computer.
    Error 1079: The account specified for this service is different from the
    from the account specified for other services running in the same process.



    So andy hints who I can solve this problem?
    How can I add the required permission to the "network service" acccount?


    Thanks in advance for all your hints.


    Thursday, March 25, 2010 12:50 PM
  • Must the described thing with the ADSIEDIT.msc realy be done?

    As I understood, I need therefore RSAT (containing the ADSIEDIT.msc) & Windows Server.

     

    The ADSIEDIT.msc- hint is the only hint, which I read and which I did not tried.

    Since I can't imaging that this is the reason for receiving "Access is denied" on each simple winrm command.

     

    Hey guys, has nobody an idea, what can be the reason / and the solution for the described problem?

    Friday, March 26, 2010 2:45 PM
  •  

    Are you running the commands in an elevated prompt?

    • Proposed as answer by johancas08 Thursday, July 28, 2016 4:25 PM
    Tuesday, March 30, 2010 6:42 PM
  • Yes as I already wrote above I used a cmd-prompt, which I started as administrator.

    ----

    I also have another computer running Windows XP, on which I can perform any WinRm commands without troubles.

    ---

    The computer having troubles runs a Windows 7.

    I already used the computer's manufacturer Windows 7 restore DVD to install a complete new Windows 7. I still receive "Access is denied" when I just enter a simple WinRm command (winrm quickconfig, winrm get winrm/config/client, ... ) on the complete fresh installed Windows 7.

     

     

     

    Wednesday, March 31, 2010 9:23 AM
  • .... The computer having troubles runs a Windows 7.....


    To get a true elevated cmd prompt, right-click on the cmd.exe icon, then click "run as administrator".   When I did that, I was able to run the winrm quickconfig without getting the "access is denied" error.

     

    Wednesday, April 7, 2010 7:31 PM
  • "Run As" local, not Domain Administrator

    After many sleepless nights it solved this error for me!!!!! )))))))

    Monday, April 12, 2010 10:08 PM
  • Logon as Administrator or Run the Command Prompt as Administrator,

    but the Administrator's Password should NOT be BLANK

    Saturday, May 15, 2010 4:04 AM
  • Hi I just installed a fresh Windows 7 copy.

    I started a cmd. box as administrator without a blank password.

    And  as soon as I type, winrm quick config, I receive access is denied

     

    - So anybody here who already used Win 7's WinRM?

    Please tell me what must be done to fix the described problem.

     

    In advance thanks a lot for your help.

    Monday, May 31, 2010 4:14 PM
  • ThePerfectWave,

    two questions:

    is your windows machine on a domain?

    you haven't replied to Jimmer2880: do you understand the difference between starting a command prompt as a local administrator, and starting a command prompt by right-clicking on the shortcut and selecting "run as administrator" (even when you are already a local administrator)? There are BIG differences.

    Nick

    Friday, June 4, 2010 3:25 PM
  • We have the same issue when testing our beta website for EU website
    Sunday, June 13, 2010 7:51 PM
  • I did the same. But I still receive "access is denied".
    Monday, June 14, 2010 1:11 PM
  • The command box was started with a local admin account (run as admin).

    The PC wasn't member of a domain.

    -----------

    ==> When I added the computer to a domain and used a admin-user-account defined on the domain controller, then the WinRm worked.

    ------------

    But it also must work without beeing a domain member!

    I used another stand alone computer with a total fresh Windows 7. And on this other computer WinRM also worked, without being a domain member.

    ----------

    Unfortunatly I can't reinstall everything on the problem PC. Because this would be work for several days, since there are a lot of tools on this computer. So I have to fix the problem on this computer.

     

    here are the features of the problem computer:

            the computer isn't a member of a domain

            cmd box is running with a local admin account (run as admin)

            any other infos required???

     

    Thanks in advance for your hints.

     

     

    Monday, June 14, 2010 1:24 PM
  • The administrator account used for the console must have a non blank password.

    With such an administrator account the problem is solved.
    Tuesday, June 15, 2010 2:42 PM
  • This worked for me Thank you very much!

     

    Friday, September 10, 2010 4:16 PM
  • This is so bizarre, but I got an answer.  I read a million articles all over the internet, saying "Make sure you right-click cmd and "run as administrator.""  And some people can only get it to work if they joined a domain, and you must have a password set on the administrator account you're using, and some registry hacks (that I didn't do.)  And people trying to change the permissions of "Network Service" because that's the user the winrm service runs as.

    None of that worked.  I am operating on a fresh install of Win 7, without any domain.  Here's what worked:

    Even though I'm already running as an administrator, even though I already tried right-clicking cmd and "run as administrator" ... And I have a password set....   This is so bizarre:

    Go to Manage local users of the computer.  The local "Administrator" account is disabled and has no password set.  So enable it and set a password.  Then, as yourself, launch a cmd prompt, and runas /user:Administrator cmd.   This will open up a new cmd prompt, running elevated, running under the Administrator account.  Which is different from my administrator account that I was already using.

    Now on this new cmd prompt, you can run the winrm commands.

    Be sure to disable the local Administrator account again after doing what you need to do.

    Wednesday, July 11, 2012 7:54 PM
  • I have found for those trying to configure PS and WinRM on their local machine for remote commands many are running into a UAC "Access Denied" restriction for local accounts though they are a member of Local Administrators and though they run an elevated CMD prompt.  See here: http://social.technet.microsoft.com/Forums/en-US/winserverManagement/thread/e5f8cfee-d4a6-4e5c-9baf-e8a8a67d9316?prof=require

    The reason for the "Access Denied" when trying to configure 'WinRM quickconfig' from a local account is because of UAC.  Setting a DWORD in the registry to disable UAC for local accounts worked successfully.  I could then run 'winrm quickconfig' on my Windows 7 machine with no errors using my personal local account which is a member of the local administrators group.  See here: http://msdn.microsoft.com/en-us/library/aa384423.aspx

    Here are the steps I took:

    1) Using a local account within Local Administrators group, Right-click CMD.EXE, 'Run as Administrator'

    2) Within Elevated CMD prompt ran the following with no errors from local account:

    3) reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f

    4) winrm quickconfig

    5) winrm get winrm/config/client/auth

    It is important to note these steps disable UAC and enable the local 'Administrator' account.  For security reasons these steps may be reversed.

    1) reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 0 /f

    - Dennis

    Sunday, December 30, 2012 12:19 AM
  • Yes, I found that after I enabled the Administrator account and changed the password from blank, I launched "runas /user:Administrator cmd" from command line.  After I then started the Windows Remote Management (WinRM) service I was able to run the command "winrm get winrm/config" without the access denied message.
    Tuesday, April 16, 2013 1:20 AM
  • Run cmd as Administrator: runas /user:Administrator cmd

    Make sure your Administrator account has a password set.

    net start winrm

    winrm qc

    winrm set winrm/config/client @{TrustedHosts="RemoteComputerName"}

    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f

    Lastly on the server you are monitoring from, right click on the pc you would like to monitor under server manager and choose "Manage As" then use the credentials of the Administrative account of that local computer you are wanting to manage eg:  workgrouppc\Administrator and save the password, this will grant your access to monitor that remote pc on the workgroup, remember to also start your performance monitors.

    Tuesday, August 26, 2014 9:20 AM
  • We need to configure WinRM 2.0 on Windows 7 using the NT Authority\System account. WinRM 3.0 seems OK on Win 7. Windows 7 has UAC enabled and we don't want to disable it.

    It gives Access Denied error.  The registry value of LocalAccountTokenFilterPolicy is set to 1. What kind of permissions we should grant for the System account?

    The following command is used for the test.

    psexec -s cscript C:\Windows\System32\winrm.vbs quickconfig

    Can someone help us please?  
    Thank you in advance!

    Ping


    • Edited by Linda Li Friday, February 20, 2015 4:29 PM
    Friday, February 20, 2015 4:12 PM
  • Thanks, that works for me!

    Johan C

    Thursday, July 28, 2016 4:25 PM
  • Thanks a lot, its work for me. 

    For Windows Server 2016, don't have group  WinRMRemoteWMIUsers__ compare with WS2012 R2.

    Last 6 months struggling to find the solution. Below steps, <g class="gr_ gr_223 gr-alert gr_tiny gr_spell gr_inline_cards gr_run_anim ContextualSpelling multiReplace" data-gr-id="223" id="223">i</g> have followed.

    1. net <g class="gr_ gr_191 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling" data-gr-id="191" id="191">localgroup</g> /add WinRMRemoteWMIUsers__

    2. Using a local account within the Local Administrators group, Right-click CMD.EXE, 'Run as Administrator'
       Within Elevated CMD prompt ran the following with no errors from local account:

    3) reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f

    4) <g class="gr_ gr_192 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling" data-gr-id="192" id="192">winrm</g> <g class="gr_ gr_193 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling" data-gr-id="193" id="193">quickconfig</g>

    5) winrm get winrm/config/client/auth

    Note: It is important to note these steps disable UAC and enable the local 'Administrator' account.  For security <g class="gr_ gr_196 gr-alert gr_gramm gr_inline_cards gr_run_anim Punctuation only-ins replaceWithoutSep" data-gr-id="196" id="196">reasons</g> these steps may be reversed.

    1) reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 0 /f

    Monday, September 10, 2018 10:28 AM