Getting Access Denied from WinRM on Windows 2008 R2


How do I restore WinRM on a Windows 2008 R2 machine back to it's 'out-of-the-box' state? Or alternatively, how do I get WinRM to start talking to me again?

I'm logged in as administrator via RDP. Any attempt to access or configure winrm is met with Access is Denied.

I have 3 other servers where WinRM works fine.

At some point in the last 2 months WinRM has become inaccessible on the 4th server.

I have spent about 2 days reading, researching, and trying different things to get WinRM working again. Here are a few:

LocalAccountTokenFilterPolicy is set to 1
Firewall rules are the same for all of the servers.
The Windows Remote Management service is up and running.

Here are some examples of what I'm seeing with various commands:

PS C:\> winrm id IdentifyResponse
     ProtocolVersion =
     ProductVendor = Microsoft Corporation
     ProductVersion = OS: 6.1.7601 SP: 1.0 Stack: 2.0

winrm quickconfig

PS C:\> winrm quickconfig
WinRM already is set up to receive requests on this machine.
    Message = Access is denied.

Error number:  -2147024891 0x80070005

winrm enumerate winrm/config/listener

PS C:\>  winrm enumerate winrm/config/listener
    Message = Access is denied.

Error number:  -2147024891 0x80070005
Access is denied.

Set-PSSessionConfiguration Microsoft.Powershell -ShowSecurityDescriptorUI

Performing operation "Set-PSSessionConfiguration" on Target "Name: Microsoft.PowerShell".
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"): Y
Access is denied.
At line:15 char:26
+    if ((!$pluginName) -or <<<<  !(test-path "$pluginDir"))
    + CategoryInfo          : InvalidOperation: (:) [], InvalidOperationException
    + FullyQualifiedErrorId : WsManError

Join-Path : Access is denied.
At line:22 char:35
+    $pluginFileNamePath = Join-Path <<<<  "$pluginDir" 'FileName'
    + CategoryInfo          : NotSpecified: (:) [Join-Path], InvalidOperationException
    + FullyQualifiedErrorId : System.InvalidOperationException,Microsoft.PowerShell.Commands.JoinPathCommand

Test-Path : Cannot bind argument to parameter 'Path' because it is an empty string.
At line:23 char:19
+    if (!(test-path <<<<  "$pluginFileNamePath"))
    + CategoryInfo          : InvalidData: (:) [Test-Path], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationErrorEmptyStringNotAllowed,Microsoft.PowerShell.Commands.Test

Get-Item : Cannot bind argument to parameter 'LiteralPath' because it is an empty string.
At line:29 char:43
+    $pluginFileName = get-item -literalpath <<<<  "$pluginFileNamePath"
    + CategoryInfo          : InvalidData: (:) [Get-Item], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationErrorEmptyStringNotAllowed,Microsoft.PowerShell.Commands.GetI

Set-PSSessionConfiguration : Session Configuration "Microsoft.PowerShell" is not a PowerShell based shell.
At line:89 char:27
+ Set-PSSessionConfiguration <<<<  $args[0] $args[1] $args[2] $args[3] $args[4] $args[5] $args[6] $args[7] $args[8]
    + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Set-PSSessionConfiguration

and Server Manager

Server Manager - Configure Server Manager Remote Management

asked on Server Fault May 20, 2016 by mobill • edited Apr 13, 2017 by Community

1 Answer


I have discovered that, on the affected server, access to winrm is limited to members of a single, custom Group (Local Users and Groups). Adding the administrator users to that Group enables access for those users.

Now I am trying to figure out how access was limited to members of the custom group. My consolation is that the IT specialists at our hosting company haven't figured it out yet either.

answered on Server Fault May 23, 2016 by mobill

User contributions licensed under CC BY-SA 3.0