Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Wednesday, September 30, 2009 8:05 PM | 1 vote
We have used NetUserSetInfo to access windows account in the remote PC. It works well for previous Windows OS version until we switch to Windows 2008 and Windows Vista recently, where User Account Control is enebled. We got access denied (error 5) from the system. How can we get around UAC without disabling the UAC? Thanks for any possible help we can give.
All replies (2)
Tuesday, October 6, 2009 5:52 PM | 1 vote
Hi,
Check with these
This article describes the solution for the “access denied” error occurs when
you are trying to connect to a Windows Vista from a Windows 2008 Server .
1. Ensure you have the correct credential
This is a permission issue. If the net view command fails with a "System error 5 has occurred. Access is denied." message, 1) make sure you are logged on using an account that has permission to view the shares on the remote computer.
2) Need to cache credential: logon the same username and password on both computers or use net net use \computername /user:username command.
3) Make sure the Netlogon service is running..
**2. Open RPC ports on firewall
**An API call involves connecting to a remote machine use RPC. In most cases the RPC service is running and you can confirm that from the service management interface. To open RPC ports, simply enable “File and Printer Sharing” in the Windows Firewall setting.
(Generally, if the RPC is blocked by the firewall on remote machine, the error should be "1722 RPC server is unavailable" rather then "5 Access denied")
3. Disable "Force Guest" log on
You can change this option from either local security policy or registery.
Local security policy : run secpol.msc > Secuirty Settings > Local Policies > Security Options > Network access : Sharing and security model for local accounts, and set to "Classic".
Registry : find "forceguest" item in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa, and set it to 0.
The two ways are equivalent. If this option is set to 1, remote logged in user will be impersonated as Guest account (and if Guest account is disabled, login fails). Set it to 0 enables user logging in as themselves.
4. If you still receive “access denied” and it only happens when the remote OS is Windows vista, it is very probably the following case.
To confirm, you need a packet sniffer such as Wireshark (a great freeware).
When you use a sniffer to capture the SMB packets, you can see the authentication is OK (NTLM if workstation, Kerberos if Windows 2008 domain), but the RPC get nca_s_fault_access_denied (0×00000005) as error code.
This means the remote RPC component failed to execute the requested operation. It is because in Windows vista , it is not allowed to operate on terminal service (Remote Desktop) through RPC by default. To modify this setting to enable Remote Desktop API through RPC, you need to find the following registry key:
HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server.
Then add a DWORD value named “AllowRemoteRPC” and change its value to 1.
Thanks
Anil Kumar Inampudi
3rd Party Disclaimer
NOTE - Disclaimer
The links in this message may lead to third-party Web sites. Microsoft provides third-party resources to help you find customer service and/or technical support resources. Information at these sites may change without notice. Microsoft is not responsible for the content at any third-party Web sites and does not guarantee the accuracy of third-party information.
Sunday, September 6, 2020 4:41 AM | 1 vote
You may also check the RPC restrictions on the RPC server if there is any
The protocol is used LSARPC (DCE/RPC in wireshark ) which is Named PIPE
If the client is making anonymous connection, you may also check if the LSARPC is allowed to be accessed remotely
GPO - Network access: Named Pipes that can be accessed anonymously