Service Manager Access Denied

Purpose:
You receive an error, Access denied to the computer's service manager on the target computer.

Resolution:
This security error may be caused by the user account not being an administrator of the target machine, the User token has become corrupted, a restart of the background service is required, or the RPC/TCP connection timed out.

In some instances, this error only appears when deploying or scanning Windows 7 and Windows 2008 R2 targets that have their Windows Firewall turned off.

Credentials:

Ensure the deploy or scan user in Options > Credentials is a member of the target computer's Administrator group or is otherwise an administrator of the computer.

You may need to change the authentication used when deploying to the target computer. For example, if the target is a Windows 7 or Windows 2008 R2 computer and the Windows Firewall is turned off (and needs to stay off) then the user credentials that run the Background Service must have Administrative rights on the target machines. You can configure the Background Service credentials via Options > Background Service.

Ensure Credentials Have Been Granted the Right to Log On As A Service:

Any credentials used in PDQ products (to deploy software or run an inventory scan on target computers) must be granted the right to "Log on as a service". PDQ Deploy or PDQ Inventory will automatically attempt to grant this right to the deploy or scan credentials used on target computers.

If granting this right fails then you will need to enable this right either locally (on the target machines) or via Group Policy.

To enable on the local machines go to the Local Security Policy under Control Panel > System and Security > Administrative Tools OR simply run the following command from Start > Run or a CMD window:

secpol.msc

In the Local Security Policy window go to Security Settings > Local Policies > User Rights Assignment > Log on as a Service and add the appropriate credentials to this right. Verify that this account has NOT been added to the "Deny log on as a service policy".

LogonAsAServiceLocal.png

To add the account via Group Policy open your Group Policy editor and edit the appropriate Group Policy. Go to Policies > Windows Settings > Security Settings > Log on a service

LogonAsAServiceGPO.png

Restart the Background Service:

Go to Options > Background Service and restart the service. Retry the scan or deployment.

Modify Service Manager TCP Connection:

If the problem persists after restarting the background service, you may need to modify the Service Manager TCP Connection settings in Options > Preferences > Performance. Try setting the value to Timeout to 5 seconds. If the problem still persists try the Disabled value.

If the problem still persists after setting the Service Manager TCP connection to Disabled, there may be an issue where the registry value is not being set to disable to Service Manager TCP Connection. In this case, perform the following:

  1. On the PDQ console machine, open regedit and navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\
  2. If it exists, modify the REG_DWORD value data of SCMApiConnectionParam to 0x80000000.
  3. If it does not exist, create a REG_DWORD value SCMApiConnectionParam and set the value data to to 0x80000000
    rpc-tcp.png
  4. Once the value is set, restart the Background Service from within the program (Options > Background Service) or by opening services.msc and restarting the service.

Verify PDQ Inventory or PDQ Deploy Service is Not Running as Local System:

Occasionally the Background Service (Options > Background Service) credentials aren't honored in the actual Windows' services for PDQ Inventory and PDQ Deploy. In these cases open up services.msc and verify that the Log On As value is NOT set to Local System. If it is, you may need to change the logon value inside of Services to match the credentials specified in the Background Services panel. Please see this article for more information:The Service Did Not Start Due To A Logon Failure.
rpc-tcp2.png

 

Was this article helpful?
Still have a question or want to share what you have learned? Visit our Community Discord to get help and collaborate with others.