Purpose:
You receive an error, Access denied to the computer's service manager on the target computer.
Resolution:
This security error may be caused by the user account not being an administrator of the target machine, the User token has become corrupted, a restart of the background service is required, or the RPC/TCP connection timed out.
In some instances, this error only appears when deploying or scanning Windows 7 and Windows 2008 R2 targets that have their Windows Firewall turned off.
Credentials:
Ensure the deploy or scan user in Options > Credentials is a member of the target computer's Administrator group or is otherwise an administrator of the computer.
You may need to change the authentication used when deploying to the target computer. For example, if the target is a Windows 7 or Windows 2008 R2 computer and the Windows Firewall is turned off (and needs to stay off) then the user credentials that run the Background Service must have Administrative rights on the target machines. You can configure the Background Service credentials via Options > Background Service.
Ensure Credentials Have Been Granted the Right to Log On As A Service:
Any credentials used in PDQ products (to deploy software or run an inventory scan on target computers) must be granted the right to "Log on as a service". PDQ Deploy or PDQ Inventory will automatically attempt to grant this right to the deploy or scan credentials used on target computers.
If granting this right fails then you will need to enable this right either locally (on the target machines) or via Group Policy.
To enable on the local machines go to the Local Security Policy under Control Panel > System and Security > Administrative Tools OR simply run the following command from Start > Run or a CMD window:
secpol.msc
In the Local Security Policy window go to Security Settings > Local Policies > User Rights Assignment > Log on as a Service and add the appropriate credentials to this right. Verify that this account has NOT been added to the "Deny log on as a service policy".
To add the account via Group Policy open your Group Policy editor and edit the appropriate Group Policy. Go to Policies > Windows Settings > Security Settings > Log on a service
Restart the Background Service:
Go to Options > Background Service and restart the service. Retry the scan or deployment.
Modify Service Manager TCP Connection:
If the problem persists after restarting the background service, you may need to modify the Service Manager TCP Connection settings in Options > Preferences > Performance. Try setting the value to Timeout to 5 seconds. If the problem still persists try the Disabled value.
If the problem still persists after setting the Service Manager TCP connection to Disabled, there may be an issue where the registry value is not being set to disable to Service Manager TCP Connection. In this case, perform the following:
- On the PDQ console machine, open regedit and navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\
- If it exists, modify the REG_DWORD value data of SCMApiConnectionParam to 0x80000000.
- If it does not exist, create a REG_DWORD value SCMApiConnectionParam and set the value data to to 0x80000000
- Once the value is set, restart the Background Service from within the program (Options > Background Service) or by opening services.msc and restarting the service.
Verify PDQ Inventory or PDQ Deploy Service is Not Running as Local System:
Occasionally the Background Service (Options > Background Service) credentials aren't honored in the actual Windows' services for PDQ Inventory and PDQ Deploy. In these cases open up services.msc and verify that the Log On As value is NOT set to Local System. If it is, you may need to change the logon value inside of Services to match the credentials specified in the Background Services panel. Please see this article for more information: The Service Did Not Start Due To A Logon Failure.
Comments
39 comments
Sweet Jesus, the PDQ Deploy service running as Local System got me, too. Fortunately I cut my hair short or I'd have pulled it all out.
Sorry for the headaches, Brian. We try to prevent this from happening however every now and then the Local System will still be set as the credentials for the Windows Service. <sigh>
I'm glad you were able to work around that.
I believe I've run into an entirely different problem.
I have two domains, and all of the Windows 7 machines on the secondary domain get the service manager error.
PDQ is on Domain A, the Windows 7 machines we're having trouble scanning are on Domain B.
For security reasons, we do not allow accounts to have any administrative access to each others domain. Therefore we have an admin account for each domain.
Scanning XP machines does not present a problem on Domain B.
What I think is happening though is that initially it is authenticating with the Domain B credentials, however when it gets to the service manager it is reverting to the background credentials on Domain A.
In an effort to test the issue, temporary access was given by a test PC on Domain B to our admin on Domain A through the Administrators group on the workstation. This resulted in a successful scan afterwards.
Running PDQ Repair on a Domain B workstation with Domain B credentials passes all four tests.
Yes was total the UAC and the services running at local instead of login to the domain account with the workstations admin rights for the AD branch I'm manage.
Thanks
Hi guys,
I'm having the problem since we we have trusted domains. Before everything was good, PDQ Depoy in domain A deploying in domain B, C and D. Then we set up a trust relationship between domains A and B and A and C and I'm unable to deploy, getting the error "Access denied to computer's service manager". I tried both credentials (from A and B) to no avail.
Deployment works only in the untrusted domain D.
Any ideas?
Bye
Jochen
I am having the same issues with a trusted domain. I'm not sure how to fix it.
Hey Jason
You will have to use your domain admin user account to run the service locally.
I had tried the local administrator workstation account under the Serices "Log On" but did not have much luck for some reason even if I use .{admin_name} and password
But if I used in our organization at UNBC and I'm part of the domain admins my full credentials. uni.adr.unbc.ca{my account_name} then my password restart the service. you also have to make sure under preferences the Credentials are the same and default.
Hope that helps
Cheers
~Ben
Ben Stewart
System Administrator
Geoffrey R. Weller library & Northern BC Archives.
3333 University Way
Prince George, British Columbia | V2N 4Z9
PH (250) 960-6605
benjamin.stewart@unbc.ca
“Sometimes it is not good enough to do our best; we must do what is required.” –Winston Churchill
I experienced this problem just after updating to PDQ Deploy 8. I found that the service has turned to run with a local account, so I changed to the right user to run the service and it worked.
Hi Adam Ruth, I have windows 2012 r2 server and other target machine are windows 2012 r2 . my issue is server-1 was working fine before adding to the domain as admin I can able to do whatever remotely. but after added the server-1 to the domain as admin(local account) I am getting access denied error to the target server(server-2). Can pls help me to fix the is issue.
Article is closed for comments.