Service Manager Access Denied

4/26/2018 4421 Contributors

Purpose:
You receive an error, Access denied to the computer's service manager on the target computer.

Resolution:
This security error may be caused by the user account not being an administrator of the target machine, the User token has become corrupted, a restart of the background service is required, or the RPC/TCP connection timed out.

In some instances this error only appears when deploying or scanning Windows 7 and Windows 2008 R2 targets that have their Windows Firewall turned off.

Credentials:
Ensure the deploy or scan user in Options > Credentials is a member of the target computer's Administrator group or is otherwise an administrator of the computer.

You may need to change the authentication used when deploying to the target computer. For example, if the target is a Windows 7 or Windows 2008 R2 computer and the Windows Firewall is turned off (and needs to stay off) then the user credentials that run the Background Service must have Administrative rights on the target machines. You can configure the Background Service credentials via Options > Background Service.

Restart the Background Service:
Go to Options > Background Service and restart the service. Retry the scan or deployment.

Modify Service Manager TCP Connection:
If the problem persists after restarting the background service, you may need to modify the Service Manager TCP Connection settings in Options > Preferences >  Performance. Try setting the value to Timeout to 5 seconds. If the problem still persists try the Disabled value.

If the problem still persists after setting the Service Manager TCP connection to Disabled, there may be an issue where the registry value is not being set to disable to Service Manager TCP Connection. In this case, perform the following:

  1. On the PDQ console machine, open regedit and navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\
  2. If it exists, modify the REG_DWORD value data of SCMApiConnectionParam to 0x80000000.
  3. If it does not exist, create a REG_DWORD value SCMApiConnectionParam and set the value data to to 0x80000000
    rpc-tcp.png
  4. Once the value is set, restart the Background Service from within the program (Options > Background Service) or by opening services.msc and restarting the service.

Verify PDQ Inventory or PDQ Deploy Service is Not Running as Local System:
Occasionally the Background Service (Options > Background Service) credentials aren't honored in the actual Windows' services for PDQ Inventory and PDQ Deploy. In these cases open up services.msc and verify that the Log On As value is NOT set to Local System. If it is, you may need to change the logon value inside of Services to match the credentials specified in the Background Services panel. Please see this article for more information: The Service Did Not Start Due To A Logon Failure.
rpc-tcp2.png