Getting Access Denied from WinRM on Windows 2008 R2
How do I restore WinRM on a Windows 2008 R2 machine back to it's 'out-of-the-box' state? Or alternatively, how do I get WinRM to start talking to me again?
I'm logged in as administrator via RDP. Any attempt to access or configure winrm is met with Access is Denied.
I have 3 other servers where WinRM works fine.
At some point in the last 2 months WinRM has become inaccessible on the 4th server.
I have spent about 2 days reading, researching, and trying different things to get WinRM working again. Here are a few:
- help about_Remote_Troubleshooting
- Jonathan Jordan's WinRM Trouble Shooting post
- PowerShell remoting guide
- a bunch of these Google hits
- not a duplicate of none of these answers solved my problem, nor did they answer my question on how to reset WinRM to a default, install state.
LocalAccountTokenFilterPolicy is set to 1
Firewall rules are the same for all of the servers.
The Windows Remote Management service is up and running.
Here are some examples of what I'm seeing with various commands:
PS C:\> winrm id IdentifyResponse
ProtocolVersion = http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd
ProductVendor = Microsoft Corporation
ProductVersion = OS: 6.1.7601 SP: 1.0 Stack: 2.0
winrm quickconfig
PS C:\> winrm quickconfig
WinRM already is set up to receive requests on this machine.
WSManFault
Message = Access is denied.
Error number: -2147024891 0x80070005
winrm enumerate winrm/config/listener
PS C:\> winrm enumerate winrm/config/listener
WSManFault
Message = Access is denied.
Error number: -2147024891 0x80070005
Access is denied.
Set-PSSessionConfiguration Microsoft.Powershell -ShowSecurityDescriptorUI
Performing operation "Set-PSSessionConfiguration" on Target "Name: Microsoft.PowerShell".
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): Y
Access is denied.
At line:15 char:26
+ if ((!$pluginName) -or <<<< !(test-path "$pluginDir"))
+ CategoryInfo : InvalidOperation: (:) [], InvalidOperationException
+ FullyQualifiedErrorId : WsManError
Join-Path : Access is denied.
At line:22 char:35
+ $pluginFileNamePath = Join-Path <<<< "$pluginDir" 'FileName'
+ CategoryInfo : NotSpecified: (:) [Join-Path], InvalidOperationException
+ FullyQualifiedErrorId : System.InvalidOperationException,Microsoft.PowerShell.Commands.JoinPathCommand
Test-Path : Cannot bind argument to parameter 'Path' because it is an empty string.
At line:23 char:19
+ if (!(test-path <<<< "$pluginFileNamePath"))
+ CategoryInfo : InvalidData: (:) [Test-Path], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationErrorEmptyStringNotAllowed,Microsoft.PowerShell.Commands.Test
PathCommand
Get-Item : Cannot bind argument to parameter 'LiteralPath' because it is an empty string.
At line:29 char:43
+ $pluginFileName = get-item -literalpath <<<< "$pluginFileNamePath"
+ CategoryInfo : InvalidData: (:) [Get-Item], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationErrorEmptyStringNotAllowed,Microsoft.PowerShell.Commands.GetI
temCommand
Set-PSSessionConfiguration : Session Configuration "Microsoft.PowerShell" is not a PowerShell based shell.
At line:89 char:27
+ Set-PSSessionConfiguration <<<< $args[0] $args[1] $args[2] $args[3] $args[4] $args[5] $args[6] $args[7] $args[8]
+ CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
+ FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Set-PSSessionConfiguration
and Server Manager
Community1 Answer
I have discovered that, on the affected server, access to winrm is limited to members of a single, custom Group (Local Users and Groups). Adding the administrator users to that Group enables access for those users.
Now I am trying to figure out how access was limited to members of the custom group. My consolation is that the IT specialists at our hosting company haven't figured it out yet either.
mobillUser contributions licensed under CC BY-SA 3.0