This used to work, and now it doesn't

129 views
Skip to first unread message

Kurt Buff

unread,
Sep 18, 2023, 8:00:53 PM9/18/23
to ntsys...@googlegroups.com
I used to be able to use LAPS credentials to start a WinRM session on a workstation from my machine, and run a bunch of local commands. Then, a bright young lad on the sysadmin team changed a bunch of workstation GPOS, and now I'm getting errors, like so:

gpresult /h c:\temp\result.html /scope computer
gpresult : ERROR: Access denied
    + CategoryInfo          : NotSpecified: (ERROR: Access denied:String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError

and

get-service blah
Cannot open Service Control Manager on computer '.'. This operation might require other privileges.
    + CategoryInfo          : NotSpecified: (:) [Get-Service], InvalidOperationException
    + FullyQualifiedErrorId : System.InvalidOperationException,Microsoft.PowerShell.Commands.GetServiceCommand

and

restart-service blah
Cannot open Service Control Manager on computer '.'. This operation might require other privileges.
    + CategoryInfo          : NotSpecified: (:) [Get-Service], InvalidOperationException
    + FullyQualifiedErrorId : System.InvalidOperationException,Microsoft.PowerShell.Commands.GetServiceCommand

I've examined the LAPS configuration on several of the machines, which looks good - the local account created by the LAPS GPO is in the local Administrators group. I've also examined the the output of 'gpresult /h' running under my DA account, and I'm not seeing anything that looks out of line - I stared at the output of gpresult for a good long time, and don't see anything..

It's very frustrating.

This seems limited to workstations - I have no problems doing WinRM stuff on servers. We didn't change those GPOs to the degree that we did with workstations, and never implemented a new account for LAPS, so they use the local Administrator account for LAPS.

Anyone have a thought?

Kurt

Aakash Shah

unread,
Sep 19, 2023, 3:36:41 AM9/19/23
to ntsys...@googlegroups.com

May be worth checking if “Local account” or “Local account and member of Administrators group” is set to deny access to the computer remotely:

https://techcommunity.microsoft.com/t5/microsoft-security-baselines/blocking-remote-use-of-local-accounts/ba-p/701042

 

-Aakash Shah

--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CADy1Ce7n5uxSivF8i0NS2aJXD17Pq_gMQJcJKKoqLT7rH2QGbQ%40mail.gmail.com.

Wright, John M

unread,
Sep 19, 2023, 8:36:38 AM9/19/23
to ntsys...@googlegroups.com

Could he have maybe changed the WinRM policy for workstation GPOs?  Maybe the IPv4/IPv6 filters?

 

--

John Wright

IT Support Specialist

1800 Old Bluegrass Avenue, Louisville, KY 40215

502.708.9953

Please submit IT requests to Hazelwoo...@bluegrass.org

24 Hour Helpline 1.800.928.8000

  

CONFIDENTIALITY NOTICE: This message contains confidential information and is intended only for the individual(s) addressed in the message. If you are not the named addressee, you should not disseminate, distribute, or copy this e-mail. If you are not the intended recipient, you are notified that disclosing, distributing, or copying this e-mail is strictly prohibited.

 

From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> On Behalf Of Kurt Buff
Sent: Monday, September 18, 2023 8:01 PM
To: ntsys...@googlegroups.com
Subject: [ntsysadmin] This used to work, and now it doesn't

 

This message is from an external sender.

--

You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CADy1Ce7n5uxSivF8i0NS2aJXD17Pq_gMQJcJKKoqLT7rH2QGbQ%40mail.gmail.com.

[CAUTION] Do not click on links or open attachments unless you recognize the sender and know the content is safe.
If you believe this is a malicious email, please forward it the local IT team and click the Report Message button in Outlook.

 

Wright, John M

unread,
Sep 19, 2023, 10:17:38 AM9/19/23
to ntsys...@googlegroups.com

Sorry, I think my sleep- and coffee-deprived brain misunderstood.  You’re not failing to establish the session but failing the commands afterward, is that right?

 

If so, what do you get for the output of this command during the session:

 

([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltinRole]::Administrator)

 

--

John Wright

IT Support Specialist

1800 Old Bluegrass Avenue, Louisville, KY 40215

502.708.9953

Please submit IT requests to Hazelwoo...@bluegrass.org

24 Hour Helpline 1.800.928.8000

  

CONFIDENTIALITY NOTICE: This message contains confidential information and is intended only for the individual(s) addressed in the message. If you are not the named addressee, you should not disseminate, distribute, or copy this e-mail. If you are not the intended recipient, you are notified that disclosing, distributing, or copying this e-mail is strictly prohibited.

 

Kurt Buff

unread,
Sep 19, 2023, 10:30:17 AM9/19/23
to ntsys...@googlegroups.com
I looked at the gpresult output for the computer scope, and don't see any Deny entries.

Instead, I see the following:
Access this computer from the network: Users, Everyone, Backup Operators, Administrators
and
Allow log on locally: Users, Backup Operators, Administrators

I shall keep searching.

Kurt

Kurt Buff

unread,
Sep 19, 2023, 10:33:24 AM9/19/23
to ntsys...@googlegroups.com
Well, now....

It returns False.

I think this is what they call A Clue.

But why that's happening, I do not know.

Kurt

Wright, John M

unread,
Sep 19, 2023, 10:36:31 AM9/19/23
to ntsys...@googlegroups.com

Could be localaccountokenfilterpolicy:  https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/user-account-control-and-remote-restriction  Though I’m not sure how that would’ve gotten changed by GPO.

James Iversen

unread,
Sep 19, 2023, 12:07:26 PM9/19/23
to ntsys...@googlegroups.com
I recall recently Microsnot has enabled the lockout of local administrator accounts. Possible to disable this behavior by policy. If not disabled, local admin does indeed lockout now. 

Sent from my iPhone

On Sep 19, 2023, at 10:30 AM, Kurt Buff <kurt...@gmail.com> wrote:



Kurt Buff

unread,
Sep 19, 2023, 12:24:04 PM9/19/23
to ntsys...@googlegroups.com
That's an interesting thought, and I'm doing some STFW - but do you have a reference?

Kurt

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/1531F591-DA31-4CB5-A254-60F78866987A%40gmail.com.

Peter Boyles

unread,
Sep 19, 2023, 12:24:38 PM9/19/23
to ntsys...@googlegroups.com

From the MS Learn article.

 

"Because of User Account Control (UAC), the remote account must be a domain account and a member of the remote computer’s Administrators group.” 

What that means:
1. If the system is part of the AD Domain.

2. You use an AD Domain user account to remotely access the system.

3. And the AD Domain user account you use is a member of the target computer’s local Administrators group.

4. Then UAC allows access to the WinRM services and the target system resources.

 

This does work.

 

Peter

Kurt Buff

unread,
Sep 19, 2023, 12:27:14 PM9/19/23
to ntsys...@googlegroups.com
Well, if that doesn't work for local accounts that are members of the local Administrators group, that pretty much defeats the purpose of LAPS.

Kurt

James Iversen

unread,
Sep 19, 2023, 2:05:02 PM9/19/23
to ntsys...@googlegroups.com

Kurt Buff

unread,
Sep 19, 2023, 3:07:44 PM9/19/23
to ntsys...@googlegroups.com
This appears to be about account lockouts, which is very interesting, but is not the problem I'm experiencing.

I'm working on implementing the localaccountokenfilterpolicy entry mentioned by John Wright.

Kurt

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/57B57A51-029F-40D5-A307-C54797A79AF1%40gmail.com.

James Iversen

unread,
Sep 19, 2023, 5:36:57 PM9/19/23
to ntsys...@googlegroups.com
Mah bad. I was going off the op of access is denied to policies. Perhaps the NT\Authenticated Users was removed from the permissions (not filtering), then the thread veered into LAPS territory. It was a shot in the dark. 

Sent from my iPhone

On Sep 19, 2023, at 3:07 PM, Kurt Buff <kurt...@gmail.com> wrote:



Michael B. Smith

unread,
Oct 2, 2023, 7:59:42 AM10/2/23
to ntsys...@googlegroups.com

I’ve been on vaca, so you’ll forgive me for not having read the entire thread. Did you resolve this?

 

It looks like you’ve been put into a constrained-mode PS session.

 

From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> On Behalf Of Kurt Buff
Sent: Monday, September 18, 2023 8:01 PM
To: ntsys...@googlegroups.com
Subject: [ntsysadmin] This used to work, and now it doesn't

 

I used to be able to use LAPS credentials to start a WinRM session on a workstation from my machine, and run a bunch of local commands. Then, a bright young lad on the sysadmin team changed a bunch of workstation GPOS, and now I'm getting errors, like so:

--

Kurt Buff

unread,
Oct 3, 2023, 2:09:01 PM10/3/23
to ntsys...@googlegroups.com
Got caught up in a bunch of other things - this is pretty trivial - and also am just now getting over a minorly nasty virus.

I'll need to find a machine again on which to test it.

Kurt

Gordon Pegue

unread,
Oct 3, 2023, 2:17:52 PM10/3/23
to ntsys...@googlegroups.com

Good thing it wasn’t a majorly nasty virus Kurt. Glad you’re on the mend.

 

Gordon

 

Sent: Tuesday, October 3, 2023 12:09
To: ntsys...@googlegroups.com
Subject: Re: [ntsysadmin] This used to work, and now it doesn't

 

  [EXTERNAL]

Reply all
Reply to author
Forward
0 new messages