4

I am working on Windows Server 2016 (workgroup) and enabled powershell remoting on it. Only the default administrator account can perform tasks that require administrative permission such as

Get-Service
Get-DnsServerZone

and when I do that I get the access denied error. I can connect to it remotely with powershell and do some stuff like get-process and so on.

remarks: no matter what user I create (and yes I add them to administrators group). I also added it to Remote Management Users too. I do it with my Hyper-V sandbox VM but it simply doesn't work in my production server. I also tried to fix it by adding specific user SID in SDDL permission in PSSessionConfiguration but it didn't work either. Here is the PSSessionConfiguration (the username I used is despot and server name is phantom12 )

Name          : microsoft.powershell
PSVersion     : 5.1
StartupScript :
RunAsUser     :
Permission    : NT AUTHORITY\INTERACTIVE AccessAllowed, BUILTIN\Administrators AccessAllowed, BUILTIN\Remote
                Management Users AccessAllowed, phantom12\despot AccessAllowed

Name          : microsoft.powershell.workflow
PSVersion     : 5.1
StartupScript :
RunAsUser     :
Permission    : BUILTIN\Administrators AccessAllowed, BUILTIN\Remote Management Users AccessAllowed, phantom12\despot
                AccessAllowed

Name          : microsoft.powershell32
PSVersion     : 5.1
StartupScript :
RunAsUser     :
Permission    : NT AUTHORITY\INTERACTIVE AccessAllowed, BUILTIN\Administrators AccessAllowed, BUILTIN\Remote
                Management Users AccessAllowed

Name          : microsoft.windows.servermanagerworkflows
PSVersion     : 3.0
StartupScript :
RunAsUser     :
Permission    : NT AUTHORITY\INTERACTIVE AccessAllowed, BUILTIN\Administrators AccessAllowed, phantom12\despot
                AccessAllowed

and here is the SDDL string i modified in WSMAN Service Section(the SID i added is the user SID not its Group)

O:NSG:BAD:P(A;;GA;;;LA)(A;;GA;;;BA)(A;;GA;;;S-1-5-21-xxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-1000)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)

the thing that is frustrating is I can do it with my VM and change permissions but it won't work on my production server and I don't want to reinstall Windows. it's simply like they didn't get added to Administrators Group even though I added them.

Thanks you all in advance!

Humberto Castellon
  • 849
  • 1
  • 7
  • 17
Peyman
  • 51
  • 4
  • Hi, as its in a workgroup, can you access the server admin share ? (like c$) I ask as explorer will ask credential, while powershell might not beforehand – yagmoth555 Nov 17 '18 at 15:15
  • When I log on locally, I can do anything and I also disabled UAC too. – Peyman Nov 17 '18 at 16:37
  • 1
    My question was more, remotly can you naviguate to that share? – yagmoth555 Nov 17 '18 at 16:58
  • Sorry man. I wrote about shares too, don't know what happened to it. Yeah. I can access shares and make or change files – Peyman Nov 17 '18 at 18:58
  • About shares, I can create files and directories but cannot delete main administrator files. – Peyman Nov 17 '18 at 19:19
  • 1
    What do you get when you type `whoami /groups` in the remote session? Do you get all enabled groups? – Peter Hahndorf Nov 17 '18 at 20:17
  • Have you tried using cmdkey to specify the credentials for the remote computer? https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/cmdkey – Greg Askew Nov 17 '18 at 20:29
  • the text was too long.i uploaded the output of whoami /groups here--> http://txt.do/dbqi6 – Peyman Nov 17 '18 at 20:32
  • @Peyman - you can see in the whoami output that the Administrators group is not enabled, meaning UAC is active for the logged on user and the account is not running elevated, that's why you get `access denied` results. UAC is usually not enabled for he account named 'administrator', so that account works. You need to fix this problem and make sure your remote logon runs elevated. – Peter Hahndorf Nov 18 '18 at 16:58
  • @PeterHahndorf how do I disable that. I set the UAC off in control panel. Is there any other setting in GPO or somewhere else I have to change? – Peyman Nov 18 '18 at 22:29
  • @PeterHahndorf thanks a lot man.i did some research and the problem was the UAC wasnt completely disabled.i did it through GPO and after restart it worked.thanks all for your help – Peyman Nov 19 '18 at 22:09

1 Answers1

5

This behaviour is by design, but can be disabled by changing a registry setting.

In

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

find or create the DWORD value LocalAccountTokenFilterPolicy and set it to 1. You may then need to reboot.

This will allow remote connections (including Powershell remoting) to have unrestricted administrator access, without the undesirable side-effects of turning off UAC altogether.

Harry Johnston
  • 5,875
  • 4
  • 35
  • 52