Monitor - Authorization - Access Denied
Posted 07 June 2010 - 07:12 AM
First of all, thank you for this very useful program. It helps a lot to keep track of the health of machines in different places.
I'm using TNM in a private network (not over WAN), without a domain and I have problems with the authorization. In detail: TNM runs on Server#1 and I set up a monitor to check service state of W3SVC on Server#2 (both servers are running Windows Server 2008 R2). On authorization tab I entered the built-in administrator account and password on first setup of the monitor. It works perfect. An action is dispatched as soon as W3SVC is stopped.
For security reasons I want to disable the administrator account and created another "admin", added a password and made this account member of the administrators group. Log on and system management works as expected for an administrative account but when I enter this account in TNMs monitor I always get an "Access denied" error. I tried plain username as well as machine\username.
But the login credentials are valid. Beside checking them twice, copy & pasting, I also checked the security protocol of the other server and the login is successful. But the monitor in TNM says access denied when checking and fails (goes black).
Could you please tell me if there is something else I have to keep in mind or might have setup up wrong?
Thanks for assistance
Posted 09 June 2010 - 09:30 AM
Thanks for your feedback.
It is basically not a TNM issue, but general Windows security settings issue. In Windows Server 2008 R2, if you have default security settings, it is not enough to add a user to the Administrators group to allow him to connect to administrator resources remotely. You need to do the following: run "secpol.msc" and go to "Local Policies - Security Options". Then change the setting for the policy "User Account Control: Run all administrators in Admin Approval Mode" to "Disabled" and reboot the server. Now your another account should work fine. The built-in Administrator works without changing anything only because the policy "UAC: Admin Approval Mode for the Build-in Administrator account" has the value "Disabled" by default.
Posted 10 June 2010 - 06:23 AM
Thanks a lot for your reply. Editing the security policy and restarting solved the login problem - as you wrote. I guess this is a valuable information for other remote authorization problems under Windows Server 2008/2008 R2 in general which won't work with UAC enabled.
Thanks again for your help.
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users