diff --git a/TSG/LCM/access-denied-lcm-user.md b/TSG/LCM/access-denied-lcm-user.md index 35a7586..b9afbf0 100644 --- a/TSG/LCM/access-denied-lcm-user.md +++ b/TSG/LCM/access-denied-lcm-user.md @@ -442,5 +442,130 @@ If you see entries for either `wsman/` or `wsman/.` and `wsman/.` ```Powershell setspn -D wsman/ -setspn -D wsman/ -``` \ No newline at end of file +setspn -D wsman/. +``` + +## Access Denied because remote logon related GPO policy is applied +### Symptoms +#### Symptom 1 +Deployment fails with `Access is Denied` during `AddAsZHostToDomain` step, right after node is joined to domain. An example of error message can be: +``` +Type 'AddAsZHostToDomain' of Role 'BareMetal' raised an exception: Unable to connect to the using .\Administrator credentials. Please check the .\Administrator credentials. +``` + + +#### Symptom 2 +When you recently made Group Policy change and applied to Azure Local clusters, your admin account, either local admin or domain account added to node's local `Administrators` group, fails to remotely logon to a node and gets `Access is Denied` error. + +### Issue Validation +Please run the following script on your node through BMC console, or through another user that can still remotely connect (i.e., via PowerShell session or RDP) to the impacted node. + +```powershell +$ErrorActionPreference = 'Stop' + +# SIDs to check +$Sid_LocalAdminCapability = 'S-1-5-114' +$Sid_AdministratorsGroup = 'S-1-5-32-544' +$isBlocked = $false + +$TempCfg = Join-Path $env:TEMP 'secpol.cfg' + +Write-Host "=== Checking SeDenyNetworkLogonRight ===" + +# Export effective user rights +secedit /export /areas USER_RIGHTS /cfg $TempCfg | Out-Null + +$denyLine = Select-String -Path $TempCfg ` + -Pattern '^SeDenyNetworkLogonRight\s*=' ` + -ErrorAction SilentlyContinue | + Select-Object -First 1 + +Remove-Item $TempCfg -Force -ErrorAction SilentlyContinue + +if (-not $denyLine) { + Write-Host "SeDenyNetworkLogonRight: NOT configured" + Write-Host "Local admins blocked: NO" +} +else { + Write-Host "SeDenyNetworkLogonRight: CONFIGURED" + Write-Host "Raw value:" + Write-Host " $($denyLine.Line)" + + $assignedSids = (($denyLine.Line -split '=', 2)[1] -split ',') | + ForEach-Object { $_.Trim().TrimStart('*') } + + Write-Host "Assigned SIDs:" + foreach ($sid in $assignedSids) { + Write-Host " - $sid" + } + + $blocked114 = $assignedSids -contains $Sid_LocalAdminCapability + $blocked544 = $assignedSids -contains $Sid_AdministratorsGroup + $isBlocked = $blocked114 -or $blocked544 + + if ($isBlocked) { + Write-Host "Local admins blocked: YES" + } + else { + Write-Host "Local admins blocked: NO" + } +} + +if ($isBlocked) +{ + Write-Host "" + Write-Host "=== Identifying applying GPO(s) ===" + + $gpresultText = gpresult /scope computer /Z 2>$null + + $gpos = $gpresultText | + Select-String 'Policy:\s+DenyNetworkLogonRight' -Context 3,3 | + ForEach-Object { + $_.Context.PreContext | + Select-String 'GPO:' | + ForEach-Object { + ($_ -split 'GPO:\s*')[1].Trim() + } + } | + Select-Object -Unique + + if ($gpos) { + foreach ($gpo in $gpos) { + Write-Host "GPO that contains the DenyNetworkLogonRight policy: $gpo" + } + } + else { + Write-Host "GPO that contains the DenyNetworkLogonRight policy: UNKNOWN (Run gpresult /scope computer /Z manually to confirm, or it may not be applied via Group Policy)" + } +} +Write-Host "=== Done ===" +``` +If you see `Local admins blocked: YES` in the output, that means the issue is validated. + +### Mitigation +Here is an example output from the validation script that validated the issue. + +``` +=== Checking SeDenyNetworkLogonRight === +SeDenyNetworkLogonRight: CONFIGURED +Raw value: + SeDenyNetworkLogonRight = *S-1-5-32-544 +Assigned SIDs: + - S-1-5-32-544 +Local admins blocked: YES + +=== Identifying applying GPO(s) === +GPO that contains the DenyNetworkLogonRight policy: Test-GPO +=== Done === +``` + +Please check the last section and find the GPO name that contains this `DenyNetworkLogonRight` policy. In Group Policy console it is displayed as `Deny Access to this computer from the network`. Go to the Group Policy management console and find the GPO with that name. Either uncheck the `Define these policy settings` checkbox for this policy, or remove `Administrators` group from the policy value. + +Location where you can find the policy: +![Image](./images/access-denied-gpo-location.png) + +Once finished, run +```powershell +gpupdate /force +``` +on each impacted node. This will help mitigate the issue. Once this is done on all impacted nodes, you can then retry the failed action. diff --git a/TSG/LCM/images/access-denied-gpo-location.png b/TSG/LCM/images/access-denied-gpo-location.png new file mode 100644 index 0000000..330b25d Binary files /dev/null and b/TSG/LCM/images/access-denied-gpo-location.png differ