Otdfbt

Multi tool use

Is there an official reason for not adding a post-credits scene?

Find the cheapest shipping option based on item weight

Emotional immaturity of comic-book version of superhero Shazam

3D Volume in TIKZ

What to use instead of cling film to wrap pastry

Refinish or replace an old staircase

ZSPL language, anyone heard of it?

How did the Venus Express detect lightning?

Is bounce rate of a website a ranking factor?

What was Bran's plan to kill the Night King?

Why are UK Bank Holidays on Mondays?

Should I decline this job offer that requires relocating to an area with high cost of living?

Would you use "llamarse" for an animal's name?

What is the solution to this metapuzzle from a university puzzling column?

I'm in your subnets, golfing your code

Proving n+1 th differential as zero given lower differentials are 0

How can I roleplay a follower-type character when I as a player have a leader-type personality?

Where can I go to avoid planes overhead?

What does 'made on' mean here?

Causes of bimodal distributions when bootstrapping a meta-analysis model

Wrong answer from DSolve when solving a differential equation

Are pressure-treated posts that have been submerged for a few days ruined?

Adding command shortcuts to bin

Something that can be activated/enabled

Allowing Domain Users to run winrm commands

Run remote powershell as administratorRemote PowerShell, WinRM Failures: WinRM cannot complete the operationWinRM HTTPS Connection to Windows 8 SystemsWindows Remote Management Over Untrusted DomainsGetting Access Denied from WinRM on Windows 2008 R2Get local path of Windows fileshare when running a PowerShell script remotely via WinRMRemote Powershell not working but test-wsman doeswindows-ubuntu-bash + hypervisor winrm + ansible - Server not found in Kerberos databaseClients / Groups / Users not shown in group policy management console (GPMC)

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;

4

Currently i have a AD/Kerberos Configured on one EC2 instance(Windows 2008 R2) and created couple of users. Each of the users has administrator privileges. When We login as a non-domain Administrator, i can successfully execute the winrm commands. But when i login as the domain User (who has administrator privileges), i cannot run the winrm commands:

C:Usersdomain-username>winrm get winrm/config/service/auth
WSManFault
 Message = Access is denied.

Error number: -2147024891 0x80070005
Access is denied.

I check the Group Policy Editor for WinRM did not find anything relevant. I am not sure what i am missing.

active-directory remote remote-access winrm

share|improve this question

asked Jul 9 '12 at 6:43

CheezoCheezo

158128

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Is SysInternal's "ShellRunAs" tool an acceptable (if hacky) workaround? Supply it the program and an account with the access you need (like a domain admin service account) and you'll be able to execute it under a user's context, whether they have admin rights or not.
  
  – HopelessN00b
  Jul 13 '12 at 20:57
  
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  Can you clarify "has administrator privileges"? Did you add the user(s) in question to the local Administrators group?
  
  – Todd Wilcox
  Dec 5 '17 at 18:34
  

  
  
  
  

add a comment | 

4

Currently i have a AD/Kerberos Configured on one EC2 instance(Windows 2008 R2) and created couple of users. Each of the users has administrator privileges. When We login as a non-domain Administrator, i can successfully execute the winrm commands. But when i login as the domain User (who has administrator privileges), i cannot run the winrm commands:

C:Usersdomain-username>winrm get winrm/config/service/auth
WSManFault
 Message = Access is denied.

Error number: -2147024891 0x80070005
Access is denied.

I check the Group Policy Editor for WinRM did not find anything relevant. I am not sure what i am missing.

active-directory remote remote-access winrm

share|improve this question

asked Jul 9 '12 at 6:43

CheezoCheezo

158128

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Is SysInternal's "ShellRunAs" tool an acceptable (if hacky) workaround? Supply it the program and an account with the access you need (like a domain admin service account) and you'll be able to execute it under a user's context, whether they have admin rights or not.
  
  – HopelessN00b
  Jul 13 '12 at 20:57
  
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  Can you clarify "has administrator privileges"? Did you add the user(s) in question to the local Administrators group?
  
  – Todd Wilcox
  Dec 5 '17 at 18:34
  

  
  
  
  

add a comment | 

Currently i have a AD/Kerberos Configured on one EC2 instance(Windows 2008 R2) and created couple of users. Each of the users has administrator privileges. When We login as a non-domain Administrator, i can successfully execute the winrm commands. But when i login as the domain User (who has administrator privileges), i cannot run the winrm commands:

C:Usersdomain-username>winrm get winrm/config/service/auth
WSManFault
 Message = Access is denied.

Error number: -2147024891 0x80070005
Access is denied.

I check the Group Policy Editor for WinRM did not find anything relevant. I am not sure what i am missing.

active-directory remote remote-access winrm

share|improve this question

asked Jul 9 '12 at 6:43

CheezoCheezo

158128

C:Usersdomain-username>winrm get winrm/config/service/auth
WSManFault
 Message = Access is denied.

Error number: -2147024891 0x80070005
Access is denied.

share|improve this question

asked Jul 9 '12 at 6:43

CheezoCheezo

158128

share|improve this question

asked Jul 9 '12 at 6:43

CheezoCheezo

158128

asked Jul 9 '12 at 6:43

CheezoCheezo

158128

asked Jul 9 '12 at 6:43

CheezoCheezo

158128

2 Answers
2

active

oldest

votes

0

First thing that pops in my head: is cmd elevated? It would be by default on local Administrator account, not so with domain accounts that belong to local Administrators group. Your current prompt (c:users...) kind of suggests this might be the reason for access rights issues (elevated cmd starts in c:windowssystem32 by default).

I've tested both elevated and non-elevated and get same results as you do with "normal" and expected results with "elevated" one.

share|improve this answer

answered Jul 11 '12 at 13:33

BartekBBartekB

63869

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Thanks for responding. I tried using the WinRM SOAP APIs as well and faced the same issue. Thats the primary usecase actually. So elevating cmd won't help my cause :)
  
  – Cheezo
  Jul 11 '12 at 14:55
  
  

  
  
  
  

add a comment | 

-1

You have to add the user to the group "Remote Management Users" on the WinRM server.

share|improve this answer

edited Nov 20 '14 at 17:06

Dave M

4,37982428

answered Nov 20 '14 at 13:37

aceq aceqaceq aceq

20723

add a comment | 

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f405952%2fallowing-domain-users-to-run-winrm-commands%23new-answer', 'question_page');

);

Post as a guest

Name

Email

Required, but never shown

0

First thing that pops in my head: is cmd elevated? It would be by default on local Administrator account, not so with domain accounts that belong to local Administrators group. Your current prompt (c:users...) kind of suggests this might be the reason for access rights issues (elevated cmd starts in c:windowssystem32 by default).

I've tested both elevated and non-elevated and get same results as you do with "normal" and expected results with "elevated" one.

share|improve this answer

answered Jul 11 '12 at 13:33

BartekBBartekB

63869

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Thanks for responding. I tried using the WinRM SOAP APIs as well and faced the same issue. Thats the primary usecase actually. So elevating cmd won't help my cause :)
  
  – Cheezo
  Jul 11 '12 at 14:55
  
  

  
  
  
  

add a comment | 

0

First thing that pops in my head: is cmd elevated? It would be by default on local Administrator account, not so with domain accounts that belong to local Administrators group. Your current prompt (c:users...) kind of suggests this might be the reason for access rights issues (elevated cmd starts in c:windowssystem32 by default).

I've tested both elevated and non-elevated and get same results as you do with "normal" and expected results with "elevated" one.

share|improve this answer

answered Jul 11 '12 at 13:33

BartekBBartekB

63869

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Thanks for responding. I tried using the WinRM SOAP APIs as well and faced the same issue. Thats the primary usecase actually. So elevating cmd won't help my cause :)
  
  – Cheezo
  Jul 11 '12 at 14:55
  
  

  
  
  
  

add a comment | 

First thing that pops in my head: is cmd elevated? It would be by default on local Administrator account, not so with domain accounts that belong to local Administrators group. Your current prompt (c:users...) kind of suggests this might be the reason for access rights issues (elevated cmd starts in c:windowssystem32 by default).

I've tested both elevated and non-elevated and get same results as you do with "normal" and expected results with "elevated" one.

share|improve this answer

answered Jul 11 '12 at 13:33

BartekBBartekB

63869

share|improve this answer

answered Jul 11 '12 at 13:33

BartekBBartekB

63869

answered Jul 11 '12 at 13:33

BartekBBartekB

63869

answered Jul 11 '12 at 13:33

BartekBBartekB

63869

-1

You have to add the user to the group "Remote Management Users" on the WinRM server.

share|improve this answer

edited Nov 20 '14 at 17:06

Dave M

4,37982428

answered Nov 20 '14 at 13:37

aceq aceqaceq aceq

20723

add a comment | 

-1

You have to add the user to the group "Remote Management Users" on the WinRM server.

share|improve this answer

edited Nov 20 '14 at 17:06

Dave M

4,37982428

answered Nov 20 '14 at 13:37

aceq aceqaceq aceq

20723

add a comment | 

You have to add the user to the group "Remote Management Users" on the WinRM server.

share|improve this answer

edited Nov 20 '14 at 17:06

Dave M

4,37982428

answered Nov 20 '14 at 13:37

aceq aceqaceq aceq

20723

share|improve this answer

edited Nov 20 '14 at 17:06

Dave M

4,37982428

answered Nov 20 '14 at 13:37

aceq aceqaceq aceq

20723

edited Nov 20 '14 at 17:06

Dave M

4,37982428

edited Nov 20 '14 at 17:06

Dave M

4,37982428

answered Nov 20 '14 at 13:37

aceq aceqaceq aceq

20723

answered Nov 20 '14 at 13:37

aceq aceqaceq aceq

20723