Sysinternals Homepage
Forum Home Forum Home > Sysinternals Utilities > PsTools
  New Posts New Posts RSS Feed: can't add user to local admins group on remote svr
  FAQ FAQ  Forum Search   Calendar   Register Register  Login Login

can't add user to local admins group on remote svr
 Post Reply Post Reply Page  123>
Author
Message Reverse Sort Order
  Share Topic Share Topic  Topic Search Topic Search  Topic Options Topic Options
molotov View Drop Down
Moderator Group
Moderator Group
Avatar

Joined: 04 October 2006
Online Status: Offline
Posts: 17492 		Post Options Post Options   Quote molotov Quote  Post ReplyReply Direct Link To This Post Topic: can't add user to local admins group on remote svr
    Posted: 02 July 2008 at 6:00am
I'm able to remotely manage
Would be interesting to note the outcome of attempting to use other tools, such as SC.EXE.
 
So, we have...
Vista->Server2003 = success
Vista->Server2008 = access denied
XP->Server2008 = access denied
Yes, that would seem to indicate that any issue may reside with the Server2008 system's configuration.  Knowing why access is denied would be desirable, thus the suggestion to look for failed logon attempts. I guess, it seems bad that logon failures don't seem to be logged, when auditing for failures is enabled.
Daily affirmation:
net helpmsg 4006
Back to Top
goody3335 View Drop Down
Newbie
Newbie


Joined: 25 June 2008
Online Status: Offline
Posts: 14 		Post Options Post Options   Quote goody3335 Quote  Post ReplyReply Direct Link To This Post Posted: 02 July 2008 at 5:41am

I'm able to remotely manage the machine using winrs.  

 
From the Vista machine I can use PSExec on Server 2003, so that would indicate to me that the Vista machine isn't the problem but I'm not able to do it from an XP machine either.
 
There are things logged in the security log, they're just aren't that many failures logged.  There are a bunch of success audits.
Back to Top
molotov View Drop Down
Moderator Group
Moderator Group
Avatar

Joined: 04 October 2006
Online Status: Offline
Posts: 17492 		Post Options Post Options   Quote molotov Quote  Post ReplyReply Direct Link To This Post Posted: 01 July 2008 at 6:56pm
Aside from using PsExec, are you able to remotely manage the Server 2008 system from the Vista system (netsh -r, sc, etc.)?
 
I haven't tried it on XP, but I need it to work on both...so if one doesn't work, then it doesn't matter.
Yes, but if the command works from XP to Server 2008, and not from Vista to 2008, it would seem that would help indicate where to focus...
 
I inspected both machines' security logs.  Only the 2008 had a failure audit that I mentioned before.  It doesn't seem to pertain to my problem, though. 

Doesn't it seem a bit odd for auditing to be enabled, and nothing to be logged in the Security log?
Daily affirmation:
net helpmsg 4006
Back to Top
goody3335 View Drop Down
Newbie
Newbie


Joined: 25 June 2008
Online Status: Offline
Posts: 14 		Post Options Post Options   Quote goody3335 Quote  Post ReplyReply Direct Link To This Post Posted: 01 July 2008 at 7:05am
No, I did the netsh commands on the actual 2008 server to try and enable remote management, but it didn't help at all.
 
The only commands that are failing are the psexec commands.  They give me an access denied error.  PSExec is the only PSTool I'm using, though.  All of the native commands are working fine.
 
I'm running psexec from Vista.  I haven't tried it on XP, but I need it to work on both...so if one doesn't work, then it doesn't matter.  I was able to run the psexec command from a vista machine to a 2003 server successfully.  Unfortunately I need it to work on a 2008 machine.
 
The target machine is Windows Server 2008.
 
I added the LocalAccountTokenFilterPolicy setting to the 2008 server.
 
I inspected both machines' security logs.  Only the 2008 had a failure audit that I mentioned before.  It doesn't seem to pertain to my problem, though. 
 
They are both being audited for success and failure of account logon events.
Back to Top
molotov View Drop Down
Moderator Group
Moderator Group
Avatar

Joined: 04 October 2006
Online Status: Offline
Posts: 17492 		Post Options Post Options   Quote molotov Quote  Post ReplyReply Direct Link To This Post Posted: 30 June 2008 at 6:56pm
I've tried a couple of things involving netsh commands, but it's still not going through.
You launched these netsh commands from another system, against the Windows Server 2008 System, via netsh -r?
 
+What commands are failing (are commands other than PsExec presenting you with Access Denied)?
+What OS are you running PsExec from?
+The target OS seems to be Windows Server 2008, correct?
+What system did you add the LocalAccountTokenFilterPolicy setting to?
+On what system did you inspect the Security event log? 
+On the systems involved, are account logon events audited for both success and failure?
Daily affirmation:
net helpmsg 4006
Back to Top
goody3335 View Drop Down
Newbie
Newbie


Joined: 25 June 2008
Online Status: Offline
Posts: 14 		Post Options Post Options   Quote goody3335 Quote  Post ReplyReply Direct Link To This Post Posted: 30 June 2008 at 1:15pm
I don't think so.  I have one failure event for today.
 
Event ID 5032
Source Microsoft Windows security
 
Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.  Error Code 2.
 
There was only one, though, and I've tried the psexec commands dozens of times today.  Also, I don't really get this, because I have the firewall turned off right now.
 
I tried stopping the firewall service and then running my psexec command, but that didn't work either.


Edited by goody3335 - 30 June 2008 at 1:35pm
Back to Top
molotov View Drop Down
Moderator Group
Moderator Group
Avatar

Joined: 04 October 2006
Online Status: Offline
Posts: 17492 		Post Options Post Options   Quote molotov Quote  Post ReplyReply Direct Link To This Post Posted: 30 June 2008 at 1:04pm
Do any auditing events in the Security log help diagnose?
Daily affirmation:
net helpmsg 4006
Back to Top
goody3335 View Drop Down
Newbie
Newbie


Joined: 25 June 2008
Online Status: Offline
Posts: 14 		Post Options Post Options   Quote goody3335 Quote  Post ReplyReply Direct Link To This Post Posted: 30 June 2008 at 12:54pm
I set the LocalAccountTokenFilterPolicy value to 1.  I turned the UAC back on and restarted.  I tried it again, but I got the same error:
 
Could not start PsExec service on \\server
Access is denied.
Back to Top
molotov View Drop Down
Moderator Group
Moderator Group
Avatar

Joined: 04 October 2006
Online Status: Offline
Posts: 17492 		Post Options Post Options   Quote molotov Quote  Post ReplyReply Direct Link To This Post Posted: 30 June 2008 at 12:41pm
Just a few thoughts, if I may... Embarrassed
the localaccountfilter key wasn't in the registry.  I added it, though
The setting is LocalAccountTokenFilterPolicy, and it is a value as opposed to a key.  What did you set it to?
 
I turned off the UAC stuff.
What happens if you turn UAC on and, in conjunction with setting LocalAccountTokenFilterPolicy to 1, retry the psexec command (or other remote admin commands that have been giving "Access Denied")?
 
 


Edited by molotov - 30 June 2008 at 12:44pm
Daily affirmation:
net helpmsg 4006
Back to Top
goody3335 View Drop Down
Newbie
Newbie


Joined: 25 June 2008
Online Status: Offline
Posts: 14 		Post Options Post Options   Quote goody3335 Quote  Post ReplyReply Direct Link To This Post Posted: 30 June 2008 at 12:26pm
I think that on server 2008 they make it so that the administrator doesn't have remote administration priveleges.  I can't figure out how to turn them on, though.  I've tried a couple of things involving netsh commands, but it's still not going through.  That's gotta be it, though, because I can get the command to work fine on server 2003.
Back to Top
 Post Reply Post Reply Page  123>

Forum Jump Forum Permissions View Drop Down