Intel® Business Client Software Development
Support for Intel® vPro™ software development and technologies associated with Intel vPro platforms.
1388 Discussions

can't use winrm; still recieve the error access is denied

theperfectwave
Beginner
10,150 Views
Hi,

I want to use winrm. I have Windows 7 installed and configure it for workgroup not domain.

Each simple winrm command leads to the error message: Access is denied


Mr. google and several forums told me to:

* execute the winrm command just with having administrator rights
* to create the DWORD LocalAccountTokenFilterPolicy [HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System] and set to 1
* Use Local Security Settings (Secpol.msc) to change the setting of the
"Network Access: Sharing and security model for local accounts" policy
in Security Settings\\Local Policies\\Security Options to "Classic".
* administrator must have a non blank password
* first execute winrm quickconfig


I did all those hints. Unfortunatly I still recieve the error "Access is denied" for each even simple winrm command.

I need WinRm, I have to fix the problems under my Windows 7. It must work.

Please help me and tell me what else must be done, to get it running.

In advance thanks a lot

0 Kudos
10 Replies
Andrew_S_Intel2
Employee
10,150 Views
Our primary focushere ison using WinRM with vPro as opposed to WinRM in general, so I don't know if I can help you. That said, I do have some information that might help. If youput in"gpedit.msc" at a command line, that takes you to a configuration settings tool that will allow you to configure WinRM. Once that tool is up, you navigate down the tree on the left into the Computer Configuration -> Administrative Templates -> Windows Components -> Windows Remote Management (WinRM) section.

There are settings for both the Client and Service here. If you're receiving access denied errors and you're working with a work group, you should look at the options for allowing Basic authentication or Digest Authentication, possibly the option for unencrypted traffic or Trusted Hosts. I don't know the exact options you need, but with access to those configuration settings hopefully you'll have some additional options to try.

Andy
0 Kudos
theperfectwave
Beginner
10,150 Views
I have the same focus. I need WinRm to configure AMT.

Thanks for your hint pointing to an additional place, where I can configure WinRM.
0 Kudos
Andrew_S_Intel2
Employee
10,150 Views

Ah, that makes things easier. This link describes exactly what settings you need to set to work with AMT:

http://software.intel.com/en-us/blogs/2007/12/13/does-amt-support-ws-man/

Ajith mentioned configuring the settings using the WinRM command line, but you can use the tool I mentioned previously to configure the appropriate settings as well. All the three settings in Ajith's blog are in the WinRM Client section.

Allowunencrypted=True
TrustedHosts= specific IP addresses or domains that are trusted
Digest=True

This will support AMT configured locally with Digest authentication (instead of Kerberos) and without TLS encryption on the ongoing traffic. This is the easiest to work with during initial development (and requires the least network infrastructure), of course in an actual product depending on your security requirements you might want to support Kerberos authentication or TLS encryption on the traffic.

0 Kudos
theperfectwave
Beginner
10,150 Views
Ok I wanted to execute the described steps, which are mentioned in your link:
http://software.intel.com/en-us/blogs/2007/12/13/does-amt-support-ws-man/

But unfortunatly already the first line:
C:\ >winrm get winrm/config/client

Led to the error: Access is denied

The problem is somewhere earlier.

When I started with the AMT- & WinRm-Topic, the computer had a completly fresh
Windows 7 installation.

So any hints, why my winrm can't be configured?


0 Kudos
theperfectwave
Beginner
10,150 Views

Here seems to be a part for solving my problem:

*********************************************************************************************
http://srvcore.wordpress.com/2010/01/02/domain-controllers-warning-event-id-10154/
.....
Since that WinRM runs under Network Service account, I was able to fix this warning by
granting the Validated Write to Service Principal Name permission to the NETWORK SERVICE
using the ADSIEDIT.msc.
....
*********************************************************************************************

Unfortunatly I don't have the ADSIEDIT.msc. This seems to be a program on Windows 200x Server.
Right?

Is this just a solution for computers, which are part of a domain?
Isn't there also a solution for computers, which are part of a workgroup?
How can I add the required permission to the "network service" account, using another tool
(regedit, editor, ...)?

-----

My following workarround attempt failed:

I stopped the Windows-Remote (ws-managment) service. I changed the loggon user account of this
service from "network service" account to the "local administrator" account. I started the service
aggain. I got the following error message:

Windows could not start the Windows Remoteverwaltung
(WS-Verwaltung) on local computer.
Error 1079: The account specified for this service is different from the
from the account specified for other services running in the same process.



So andy hints who I can solve this problem?
How can I add the required permission to the "network service" acccount?


Thanks in advance for all your hints.


0 Kudos
Andrew_S_Intel2
Employee
10,150 Views
You probably need to run the command window as an administrator. And like I said previously, if you choose you don't need to run the command line arguments, you can adjust the setting in the console.
0 Kudos
theperfectwave
Beginner
10,150 Views

Must the described thing with the ADSIEDIT.msc realy be done?

As I understood, I need therefore RSAT (containing the ADSIEDIT.msc) & Windows Server.

The ADSIEDIT.msc- hint is the only hint, which I read and which I did not tried.

Since I can't imaging that this is the reason for receiving "Access is denied" on each simple winrm command.

Hey guys, has nobody an idea, what can be the reason / and the solution for the described problem?
0 Kudos
Andrew_S_Intel2
Employee
10,150 Views
Given that WinRM works fine for me from both Windows 7 and Windows Vista and I've never heard of ADSIEDIT.msc, I think you are making this more complicated than it needs to be. And you certainly don't need Windows Server to use WinRM.

Like I mentioned before, are you running the command as an administrator? And I don't mean in an administrator account, I mean running the command window as administrator. The most obvious way is to right click on the Command Prompt option in the menu and select the "Run as Administrator" option in the menu that comes up.
0 Kudos
theperfectwave
Beginner
10,150 Views
The administrator account used for the console must have a non blank password.

With such an administrator account the problem is solved.
0 Kudos
Alexandr_K_
Beginner
10,150 Views

You have to add the user on the winrm server to the local group "Remote Management Users"

0 Kudos
Reply