Problem with remote execution
One of my customers wanted recently to run a remote administration using a local account. The firewall on the server was disabled and inactive UAC. However despite these operations, it was not possible for a local account (non-administrator) to perform the remote operation.
Several tests have been made:
- Exécution with a user domain member of the local administrators group. The test was successful and the operation has been performed.
- Exécution with a domain administrator account. The test was successful and the operation has been performed.
- Exécution with a domain administrator. The test was successful and the operation has been performed.
- Exécution with a local administratop account. The test was successful and the operation has been performed.
- Exécution with a local account member of the local administrators group. The test was failed and the operation has not been performed.
Allow remote execution
The problem occurs with servers Windows Server 2012 / 2012 R2 because remote management is not allowed for a local account even if it is a member of the local administrator group of the server / Workstation. The DWORD (32) key must be configured to permit remote management for local account.
- On the remote server, right click on the menu start and then on the shortcut menu, click Run.
- Navigate to the key System (HKLM\Software\Microsoft\Windows\Current Version\Policies\system).
- Create DWORD Key LocalAccountTokenFilterPolicy and assign value 1.
The DWORD LocalAccountTokenFilterPolicy value can take two values:
- 0 – generates a filtered token
- 1 – Generates a token with elevated privilèges
Subsequently it is possible d ‘perform remote management. If a large number of server is impacted, it is better to create a group (of type preferences) policy which will automatically create the concerned DWORD. Nevertheless, it is interesting to note that this gives additional rights. It is therefore necessary to study the risks mainly if the password for the local account is never changed.