4

Currently i have a AD/Kerberos Configured on one EC2 instance(Windows 2008 R2) and created couple of users. Each of the users has administrator privileges. When We login as a non-domain Administrator, i can successfully execute the winrm commands. But when i login as the domain User (who has administrator privileges), i cannot run the winrm commands:

C:\Users\domain-username>winrm get winrm/config/service/auth
WSManFault
    Message = Access is denied.

Error number:  -2147024891 0x80070005
Access is denied.

I check the Group Policy Editor for WinRM did not find anything relevant. I am not sure what i am missing.

Cheezo
  • 223
  • 2
  • 4
  • 8
  • Is SysInternal's "ShellRunAs" tool an acceptable (if hacky) workaround? Supply it the program and an account with the access you need (like a domain admin service account) and you'll be able to execute it under a user's context, whether they have admin rights or not. – HopelessN00b Jul 13 '12 at 20:57
  • 1
    Can you clarify "has administrator privileges"? Did you add the user(s) in question to the local Administrators group? – Todd Wilcox Dec 05 '17 at 18:34

2 Answers2

1

First thing that pops in my head: is cmd elevated? It would be by default on local Administrator account, not so with domain accounts that belong to local Administrators group. Your current prompt (c:\users...) kind of suggests this might be the reason for access rights issues (elevated cmd starts in c:\windows\system32 by default).

I've tested both elevated and non-elevated and get same results as you do with "normal" and expected results with "elevated" one.

BartekB
  • 676
  • 6
  • 9
  • Thanks for responding. I tried using the WinRM SOAP APIs as well and faced the same issue. Thats the primary usecase actually. So elevating cmd won't help my cause :) – Cheezo Jul 11 '12 at 14:55
-1

You have to add the user to the group "Remote Management Users" on the WinRM server.

Dave M
  • 4,514
  • 22
  • 31
  • 30
Alex
  • 290
  • 3
  • 7