Alternate Administrator Accounts not Working with Windows 2008 and Later

Follow

Revision: 1.2
Date: 03/19/2015

Problem:

When attempting to connect to a target system that is Windows Vista/2008 or newer from a host system that is Windows Vista/2008 or newer using alt-admins to connect or manage services you receive an error such as Connect failed, error 10001 – No admin access (anonymous only) achieved or admin access denied. Worse yet, this is not a standard Windows networking error. The problem does not exist when connecting to Windows 2003 and earlier systems or when the product is hosted on a 2003 system.

This affects all calls to the Service Control Manager (SCM) which is used to manage services and can affect basic connections.

Cause:

The issue stems from changes on the Microsoft networking and communications stack that was introduced in Windows Vista/2008 and is outlined in this MS article: Services and RPC/TCP. Microsoft defaults to using RPC/TCP rather than RCP/NP (RPC over named pipes). The difference is that RPC/TCP does not inherit connection credentials while RCP/NP does. Hence the alternate administrators will not work in Windows Vista/2008 and later to a Windows Vista/2008 and later host without forcing the product host to use RPC/NP.

Resolution:

RPC/TCP is controlled by the SCMApiConnectionParam, DisableRPCOverTCP, and DisableRemoteScmEndpoints registry values, which are all under the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l key. All of these values have a REG_DWORD data type. The following procedures show how to use these registry values to control RPC/TCP.

Create a new DWORD at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l called SCMApiConnectionParam. Set its data value to be HEX and enter 80000000.

Restart the application.

Applies To:
Enterprise Random Password Manager (ERPM)
Service Account Manager (SAM)

Was this article helpful?
0 out of 0 found this helpful

Comments

Powered by Zendesk