Troubleshooting
Problem
Beginning with Windows 10 version 1607 (Creator’s Update) and Windows Server 2016, the default GPO security descriptor denies users remote access to Security Account Manager (SAM) with non-domain credentials, and therefore prevents remote heartbeat and password changes made by otherwise-authenticated local user accounts. Affected Windows Local Account secrets would return “Access Denied” on a heartbeat or remote password change.
The script addresses these "Access Denied" errors by modifying the default local group policy Remote SAM Access security descriptor to allow all local users on a specified machine remote SAM access after authentication. This script requires elevated PowerShell permissions.
The script addresses these "Access Denied" errors by modifying the default local group policy Remote SAM Access security descriptor to allow all local users on a specified machine remote SAM access after authentication. This script requires elevated PowerShell permissions.
Resolving The Problem
[Related Microsoft KB]:
https://docs.microsoft.com/en-us/windows/device-security/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls
POWERSHELL SCRIPT DESCRIPTION
This script adds a local non-privileged usergroup to the machine (a custom group name can be specified with -GroupName parameter), adds all local users to the group, and then adds this group to the "Network Access: Restrict clients allowed to make remote calls to SAM" local Group Policy. This will allow all local users within the group remote access to SAM after authentication, which is required for Secret Server password Heartbeat and Password Changing.
DOWNLOAD
Extract the .ps1 script found here:
https://updates.thycotic.net/secretserver/support/PowerShell_Win10-HB-RPC-Fix/Win10-HbFix.zip
Run in an elevated PowerShell ISE session.
SCRIPT ARGUMENT HELP
For full help text, run
> Get-Help C:\Script\Win10-HbFix.ps1 -Examples
PARAMETER
<-ComputerNames (string[])>
Specifies the computer(s) on which the script runs (comma separated). If unspecified, the default is the local computer.
PARAMETER
<-Username (string)>
Specifies a username of an account that has administrative permissions on the computer to add a local user group and modify the local group policy. You will be prompted for a password.
Examples:
Administrator
TestDomain\AdminUser
PARAMETER
<-GroupName (string)>
Specifies a name for the SAM access local user group. If unspecified, the default group name is "Secret Server Remote SAM Access"
PARAMETER
<-ForceGPUpdate>
Specifies whether a group policy update should be forced for immediate effect following the script. (Otherwise Group Policy changes may take up to 120 minutes to take effect by default).
EXAMPLE
> C:\Script\Win10-HbFix.ps1
This example gives remote SAM access to all local users on the current machine. The current PowerShell credentials will be used for authentication.
EXAMPLE
> C:\Script\Win10-HbFix.ps1 -LogDir "D:\Win10-HbFix\log"
EXAMPLE
> C:\Script\Win10-HbFix.ps1 -ComputerNames "WINSERVER","TestDomain\SOMEMACHINE" -Username "TestDomain\Administrator"
This example gives remote SAM access to all local users on the WINSERVER and TestDomain\SOMEMACHINE remote computers. The domain user "TestDomain\Administrator" credentials will be used. You will be prompted for a password.
EXAMPLE
> C:\Script\Win10-HbFix.ps1 -ComputerNames "D:\Win10MachineList.txt" -Username "TestDomain\Administrator"
This example gives remote SAM access to all local users on the remote computers listed in D:\Win10MachineList.txt (one machine per line). The domain user "TestDomain\Administrator" credentials will be used. You will be prompted for a password.
EXAMPLE
> C:\Script\Win10-HbFix.ps1 -ComputerNames "WINSERVER" -GroupName "Secret Server Group"
This example gives remote SAM access to all local users on the WINSERVER remote computer. The local group created will be named "Secret Server Group". Current PowerShell credentials will be used for authentication.
EXAMPLE
> C:\Script\Win10-HbFix.ps1 -ComputerNames "WINSERVER" -ForceGPUpdate -Verbose
This example gives remote SAM access to all local users on the WINSERVER remote computer, with verbose output. The current PowerShell credentials will be used for authentication. Group policy update will be forced on WINSERVER for immediate effect.
https://docs.microsoft.com/en-us/windows/device-security/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls
POWERSHELL SCRIPT DESCRIPTION
This script adds a local non-privileged usergroup to the machine (a custom group name can be specified with -GroupName parameter), adds all local users to the group, and then adds this group to the "Network Access: Restrict clients allowed to make remote calls to SAM" local Group Policy. This will allow all local users within the group remote access to SAM after authentication, which is required for Secret Server password Heartbeat and Password Changing.
DOWNLOAD
Extract the .ps1 script found here:
https://updates.thycotic.net/secretserver/support/PowerShell_Win10-HB-RPC-Fix/Win10-HbFix.zip
Run in an elevated PowerShell ISE session.
SCRIPT ARGUMENT HELP
For full help text, run
> Get-Help C:\Script\Win10-HbFix.ps1 -Examples
PARAMETER
<-ComputerNames (string[])>
Specifies the computer(s) on which the script runs (comma separated). If unspecified, the default is the local computer.
PARAMETER
<-Username (string)>
Specifies a username of an account that has administrative permissions on the computer to add a local user group and modify the local group policy. You will be prompted for a password.
Examples:
Administrator
TestDomain\AdminUser
PARAMETER
<-GroupName (string)>
Specifies a name for the SAM access local user group. If unspecified, the default group name is "Secret Server Remote SAM Access"
PARAMETER
<-ForceGPUpdate>
Specifies whether a group policy update should be forced for immediate effect following the script. (Otherwise Group Policy changes may take up to 120 minutes to take effect by default).
EXAMPLE
> C:\Script\Win10-HbFix.ps1
This example gives remote SAM access to all local users on the current machine. The current PowerShell credentials will be used for authentication.
EXAMPLE
> C:\Script\Win10-HbFix.ps1 -LogDir "D:\Win10-HbFix\log"
This example will change default output log path to "D:\Win10-HbFix\log" (default is [user temp directory]\log).
EXAMPLE
> C:\Script\Win10-HbFix.ps1 -ComputerNames "WINSERVER","TestDomain\SOMEMACHINE" -Username "TestDomain\Administrator"
This example gives remote SAM access to all local users on the WINSERVER and TestDomain\SOMEMACHINE remote computers. The domain user "TestDomain\Administrator" credentials will be used. You will be prompted for a password.
EXAMPLE
> C:\Script\Win10-HbFix.ps1 -ComputerNames "D:\Win10MachineList.txt" -Username "TestDomain\Administrator"
This example gives remote SAM access to all local users on the remote computers listed in D:\Win10MachineList.txt (one machine per line). The domain user "TestDomain\Administrator" credentials will be used. You will be prompted for a password.
EXAMPLE
> C:\Script\Win10-HbFix.ps1 -ComputerNames "WINSERVER" -GroupName "Secret Server Group"
This example gives remote SAM access to all local users on the WINSERVER remote computer. The local group created will be named "Secret Server Group". Current PowerShell credentials will be used for authentication.
EXAMPLE
> C:\Script\Win10-HbFix.ps1 -ComputerNames "WINSERVER" -ForceGPUpdate -Verbose
This example gives remote SAM access to all local users on the WINSERVER remote computer, with verbose output. The current PowerShell credentials will be used for authentication. Group policy update will be forced on WINSERVER for immediate effect.
Document Location
Worldwide
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSWHLP","label":"IBM Security Secret Server"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
Modified date:
30 April 2019
UID
ibm10879505