none
WinRM - Access Denied

    Question

  • Perhaps I'm way out of my league here, but what I assume should be a relatively simple process has left me searching countless documentation for answers with no solution.

    I have a Windows 7 Ult. client (in a workgroup) and a Server 2008 R2 machine. I'm attempting to use remote Server Manager on the Windows 7 client. I've gone through the steps indicated in this article, namely adding the trusted hosts to the configuration: http://technet.microsoft.com/en-us/library/dd759202.aspx

    My issue is that I am unable to perform any operation with WinRM without receiving an Access Denied error

    WSManFault
        Message = Access is denied.
    
    Error number:  -2147024891 0x80070005
    Access is denied.

    I am running it as an elevated user with the same result.

    Any advise would be much appreciated.
    Wednesday, December 09, 2009 7:19 AM

Answers

  • Hi David,

    Thank you for the reply.

    I had already changed that registry entry based on some documentation I read but that did not make any difference.

    I was able to work around the issue by opening another command window with "runas /user:Administrator" and then proceeding to change the winrm settings.

    - Adam

    • Marked as answer by David Shen Monday, December 14, 2009 5:36 AM
    Sunday, December 13, 2009 4:45 AM

All replies

  • Hello Adam,

     

    Based on the researching the error message, this issue could be due to the User Account Control (UAC) on the Windows 7 client.

     

    Because of User Account Control (UAC), the remote account must be a domain account and a member of the remote computer Administrators group. If the account is a local computer member of the Administrators group, then UAC does not allow access to the WinRM service. To access a remote WinRM service in a workgroup, UAC filtering for local accounts must be disabled by creating the following DWORD registry entry and setting its value to 1:


    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System] LocalAccountTokenFilterPolicy

    This is taken from Obtaining Data from a Remote Computer

     

    As a suggestion, I suggest you logon the Windows 7 client as the local built-in administrator account(i.e. the account that under Local Users and Groups had the description of: Built-in account for administering the computer).

     

    If not, please consider disabling UAC on Windows 7 client to try again.

     

    Hope this can be helpful.

     

    Best Regards,

    David Shen


    This posting is provided "AS IS" with no warranties, and confers no rights.
    • Proposed as answer by Dennis-J Saturday, December 29, 2012 11:17 PM
    Thursday, December 10, 2009 7:32 AM
  • Hi David,

    Thank you for the reply.

    I had already changed that registry entry based on some documentation I read but that did not make any difference.

    I was able to work around the issue by opening another command window with "runas /user:Administrator" and then proceeding to change the winrm settings.

    - Adam

    • Marked as answer by David Shen Monday, December 14, 2009 5:36 AM
    Sunday, December 13, 2009 4:45 AM
  • Hi I also recieve "Access is denied" when I just enter a simple winrm command like winrm quickconfig, winrm get winrm/config, .....

     

    I tried a lot of hints in the meantime, no one worked. Here is my thread:

    http://social.msdn.microsoft.com/Forums/en-US/netfxremoting/thread/ad02461a-878c-49a9-bc08-a0199d69b85c

     

    May be you can help me.

     

    Thanks a lot in advance.

    Friday, March 26, 2010 2:35 PM
  • Run the Command Prompt as Administrator and the "Administrator's Password should NOT be BLANK"
    Friday, May 14, 2010 4:43 PM
  • I use to get the following error too, running cmd as administrator helps or by logging in as the local administrator works fine,

    but the puzzle that I couldnt solve was when my user is setup as Administrator, why it wouldnt process it

    -

    Raghu

    Saturday, July 03, 2010 11:55 AM
  • I had had the same problem and got a resolution.

    1. Add a password to your administrator accunt if it does not have one.

    2. Run cmd as an administrator and issue "reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f" and then "winrm quickconfig"

    this should work.

    Good luck.

    • Proposed as answer by JonQueST Friday, January 28, 2011 6:36 AM
    Sunday, November 21, 2010 11:43 PM
  • The response by Jaewoo Park above to modify the registry (LocalAccountTokenFilterPolicy) is the only solution that worked for me in order to  successfully "winrm quickconfig" on Windows 2008 Server R2.

    Tuesday, August 02, 2011 11:11 PM
  • The registry change worked for me.    Note that I had to reboot after the reg change before the winrm create in order for it to work.   Revised version of Jaewoo Park's resolution:

    1. Add a password to your administrator accunt if it does not have one.

    2. Run cmd as an administrator and issue "reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f" 

    3. Reboot

    4. "winrm quickconfig"


    Monday, July 02, 2012 10:19 PM
  • This is so bizarre, but I got an answer.  I read a million articles all over the internet, saying "Make sure you right-click cmd and "run as administrator.""  And some people can only get it to work if they joined a domain, and you must have a password set on the administrator account you're using, and some registry hacks (that I didn't do.)  And people trying to change the permissions of "Network Service" because that's the user the winrm service runs as.

    None of that worked.  I am operating on a fresh install of Win 7, without any domain.  Here's what worked:

    Even though I'm already running as an administrator, even though I already tried right-clicking cmd and "run as administrator" ... And I have a password set....   This is so bizarre:

    Go to Manage local users of the computer.  The local "Administrator" account is disabled and has no password set.  So enable it and set a password.  Then, as yourself, launch a cmd prompt, and runas /user:Administrator cmd.   This will open up a new cmd prompt, running elevated, running under the Administrator account.  Which is different from my administrator account that I was already using.

    Now on this new cmd prompt, you can run the winrm commands.

    Be sure to disable the local Administrator account again after doing what you need to do.

    Wednesday, July 11, 2012 7:53 PM
  • This is so bizarre, but I got an answer.  I read a million articles all over the internet, saying "Make sure you right-click cmd and "run as administrator.""  And some people can only get it to work if they joined a domain, and you must have a password set on the administrator account you're using, and some registry hacks (that I didn't do.)  And people trying to change the permissions of "Network Service" because that's the user the winrm service runs as.

    None of that worked.  I am operating on a fresh install of Win 7, without any domain.  Here's what worked:

    Even though I'm already running as an administrator, even though I already tried right-clicking cmd and "run as administrator" ... And I have a password set....   This is so bizarre:

    Go to Manage local users of the computer.  The local "Administrator" account is disabled and has no password set.  So enable it and set a password.  Then, as yourself, launch a cmd prompt, and runas /user:Administrator cmd.   This will open up a new cmd prompt, running elevated, running under the Administrator account.  Which is different from my administrator account that I was already using.

    Now on this new cmd prompt, you can run the winrm commands.

    Be sure to disable the local Administrator account again after doing what you need to do.

    Wednesday, July 11, 2012 7:53 PM
  • Worked perfectly - thank you
    Thursday, December 13, 2012 3:57 AM
  • Thanks David,

    After much searching this is the first post I found that explains the reason for the WinRM restriction since I am using a local account with UAC.  Setting the DWORD in the registry to disable UAC for local accounts worked like a charm.  I could then run 'winrm quickconfig' on my Windows 7 machine with no errors using my personal local account which is a member of the local administrators group.  Here are the steps I took.

    1. Enabled local 'Administrator' account and set password (don't think this was required but ran it as a first step based on other posts)
    2. Using a local account within Local Administrators group, Right-click CMD.EXE, 'Run as Administrator'
    3. Within Elevated CMD prompt ran the following with no errors from local account:
    4. reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f
    5. winrm quickconfig
    6. winrm get winrm/config/client/auth

    It is important to note these steps disable UAC and enable the local 'Administrator' account.  For security reasons these steps may be reversed.

    1. reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 0 /f
    2. Disable Local 'Administrator' account

    - Dennis



    • Edited by Dennis-J Sunday, December 30, 2012 12:15 AM
    Saturday, December 29, 2012 11:40 PM
  • As others have mentioned, you must set a password for Administrator and it cannot be blank.
    Tuesday, April 16, 2013 1:23 AM
  • If that works for you guys, i just simple Right click over command prompt icon "run as administrator", an it worked without any issue.

    Thanks.

    Friday, November 29, 2013 6:13 PM
  • Hi all.
    I know it is historical topic, but for other searchers I want to write my one-step hint.

    Here is clear explanation of winrm problems on local computers. And as we can see it is not a bug but a feature: http://www.symantec.com/business/support/index?page=content&id=TECH200047

    "This error happens even if the account is a Local Administrator and the command line is run with administrator privileges.

    To solve the problem, UAC filtering for local accounts must be disabled by creating the following DWORD registry entry and setting its value to 1:

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System] LocalAccountTokenFilterPolicy

    Because of User Account Control (UAC), the remote account must be a domain account and a member of the remote computer Administrators group.
    If the account is a local computer member of the Administrators group, then UAC does not allow access to the WinRM service.
    "

    When I created this registry key and set value to 1 then winrm started to work on my all local admin accounts. I didn't need to start cmd with elevated privilages to perform "winrm get" command.

    Saturday, March 15, 2014 1:45 AM
  • Glorious! Much thanks to Jaewoo Park for his answer. Worked like a charm!
    • Edited by Conor8111 Friday, April 17, 2015 2:47 PM
    Friday, April 17, 2015 2:46 PM
  • I have the same error.  I am actually trying to remotely enable remote powershell with a script in windows 7.  I can do it as an administrator, but not as the system user.  The network can't be public.

    Thursday, April 27, 2017 3:37 PM