3

I have the problem that I am getting a

System error 5 has occurred. Access is denied.

error when I am trying to run the command

net user /domain <username>

with a regular domain user account (not domain administrator or local administrator).

We need to run this command not as an administrator to load a certain workload for our non admin users, using a script. On other server systems with the exact the same policy and same domain settings I was able to run this command as a non admin user. I even exported a policies from the project that does not get an error and imported them, but unfortunately without success...

Internet research says that the GP setting "Network access. Restrict clients allowed to make remote calls to SAM" may be the solution.

I've add the group that should be able to make a net user request, updated the policy on the server and the group was showing up as "allowed". Unfortunately this solution also did not work for me and I still had exactly the same error:

System error 5 has occurred. Access is denied.

The only difference that the project with this problem has to the project that works is the Windows Version:

  • The project that works has: Windows W2019 1809 / 17763.1935
  • The project with a problem: Windows 2019 1809 / 17763.1790

Could you help me to find out the solution for this problem, please?
So I could bring the project live.

zx485
  • 2,337
Admin_228
  • 41

1 Answers1

1

I found a solution for this problem. The problem was placed directly is the registry of the domain controllers. There are 2 ways how you can solve it.

Solution 1: Create a policy which allows the specify groups or users to make a SAM request and link it to the whole domain OUs on the top level. So that all computers and users of all OUs gets it.

Here is the instruction for this policy setting:

Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network access: Restrict clients allowed to make remote calls to SAM".

Select "Edit Security" to configure the "Security descriptor:".

Add the wished User or Group in "Group or user names:"

Select "Allow" for "Remote Access" in "Permissions for "Administrators".

Click "OK".

Make CMD: gpupdate /force on all domain computers and restart them.

Solution 2: Deleting existing policy or local registry settings for SAM request

  1. Find the policy that specifies the SAM request (if already exists) and edit (allow the wished group or user) or delete it completely.
  2. Open regedit.exe on all domain controllers at the same time and delete the registry key:

Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\

Value Name: RestrictRemoteSAM

Value Type: REG_SZ Value: O:BAG:BAD:(A;;RC;;;BA)

  1. Restart one of the domain contorllers and check if the registry key is still there. In general it should be completely removed and doesn't appear after reboot.

Info: This registry key restricts all normal users making a "net user /domain " request.

  1. Try the "net user /domain " request as normal user (Make "gpupdate /force" and restart the computer running the request if needed)

BR, Yaroslav Kraus

Admin_228
  • 41