Friday, April 27, 2012 6:24 PM
I am attempting to access Logical Disk Manager (LDM) remotely on a server running Windows Server 2008 Standard SP2 and I receive the message "You do not have access right to Logical Disk Manager on <servername>"
I have tried to access this from a Windows XP SP3, Windows 7 SP1, and a Windows Server 2008 Standard SP2 member server. Each system is unable to access LDM. The firewalls are disabled on all the systems including the system being remotely accessed. There are no other firewall products loaded on any of these systems.
I am a local administrator on each system and am using that local administrator account.
I have adjusted the Componet Services (COM+) COM Security > Access Permissions > Edit Limits with Everyone and ANONYMOUS LOGON to have Local Access and Remote Access allowed on the remote server
I have adjusted the Componet Services (COM+) COM Security > Launch and Activation Permissions > Edit Limits with Everyone to have Local launch, Remote Launch, Local Activation, and Remote Activation allowed on the remote server
Sunday, April 29, 2012 4:32 PM
This may be a similar issue.
Regards, Dave Patrick ....
Microsoft Certified Professional
Microsoft MVP [Windows]
Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Wednesday, May 02, 2012 7:57 AM
As Dave has alluded to above through the linked article, because you are using an account local to the remote server to which you're attempting to connect, and that account is also a local administrator, the administrative bit is stripped out of the logon token which results in the error you are getting.
Have a read of this support article to see how it all hangs together.
In terms of what you can do, in the order of most to least preferred, you can:
- Use a domain account which has been assigned locally administrative rights on that server (i.e. tossed into the local Administrators group).
- Change the LocalAccountTokenFilterPolicy value described in the above article to have a value of 1. Not recommended as it reduces the security of the system, but in the case of workgroup servers, it sometimes can be the only practical solution. If the server is a member of the domain, this option shouldn't be used.
Friday, March 08, 2013 9:53 PM
Shouldn't the value of LocalAccountTokenFilterPolicy be set to 1 in order to build an elevated token?
Wednesday, March 13, 2013 12:02 PM
Correct, Jeff. I've amended the value above. Thanks for catching the typo.