This is very know issue, if you search internet, you will get multiple blog post with same solution for this issue, and if you follow the steps, it actually resolve this issue.
In simple word, solution of this problem is
- Logon to the faulty system.
- Open SECPOL.MSC from Run
- Go to Security Settings | Local Policies | Security Options
- Open Network access: Do not allow storage of passwords and credentials for network authentication
- To resolve this issue, simply set this policy to Disabled.
But, my problem is little bit different, I was working on a script to validate the Local Admin password of multiple remote systems, I found best way to validate this is to create a ONSTART task with local admin credentials with schtasks.exe via PS Remoting (WSMan). Something like this
1 | schtasks.exe /create /TN TestAdmin /SC ONSTART /TR "cmd.exe /c" /RU "RemoteServerName\LocalAdminAccount" /RP "Password" |
If the scheduled task created successfully, it means the local admin account authenticating. Now the problem is, when I was trying to run this remotely on multiple Windows 2008 R2 servers, I am getting “A specified logon session does not exist” and my script reporting wrong status. Solution is already available, but who will made those changes on hundreds of servers manually, and I am also not sure why this policy was enabled. So I don’t want made any permanent changes on all the servers for validating local admin password.
What I did is, logged on to a problematic system, and extracted the local security policy configuration using this command
1 | SECEDIT.exe /export /cfg c:\123.inf |
Now, I disabled the policy mentioned above and extracted the local security policy configuration again using the same command to a different file.
1 | SECEDIT.exe /export /cfg c:\321.inf |
And run file compare using PowerShell.
1 | Compare-Object (Get-Content C:\123.inf) (Get-Content C:\321.inf) |
This way I was able to identify which registry value is responsible for this policy.
1 | MACHINE\System\CurrentControlSet\Control\Lsa\DisableDomainCreds |
Now, I wrote a validation check before executing the schtasks.exe.
1 2 3 4 5 6 7 8 9 10 11 | $GetAccessFix = (Get-ItemProperty -Path HKLM:SYSTEM\CurrentControlSet\Control\Lsa -Name disabledomaincreds).disabledomaincreds if ($GetAccessFix -ne "0") { Set-ItemProperty -Path HKLM:SYSTEM\CurrentControlSet\Control\Lsa -Name disabledomaincreds -Value 0 -Force } $CheckAdminAccess = schtasks.exe /create /TN TestAdmin /SC ONSTART /TR "cmd.exe /c" /RU "$ServerName\$UserName" /RP "$newPASSword" if ($CheckAdminAccess){ schtasks.exe /delete /TN TestAdmin /F | Out-Null if ($GetAccessFix) { Set-ItemProperty -Path HKLM:SYSTEM\CurrentControlSet\Control\Lsa -Name disabledomaincreds -Value $GetAccessFix -Force } } |
So, it will do following checks.
- First it will collect the registry value of disabledomaincreds from HKLM:SYSTEM\CurrentControlSet\Control\Lsa and store the value under variable $GetAccessFix
- Now, If the value of $GetAccessFix is not equal to 0, then it will update the value to 0.
- After that it will execute the schtasks.exe
- And if the authentication is correct, then $CheckAdminAccess will have following value, else value will be null.
SUCCESS: The scheduled task “TestAdmin” has successfully been created.
- Once access validated, it will delete the scheduled task and revert the policy settings.
Now, Script working as expected
I hope this information might help you as well. Happy Scripting. J
Disclaimer: All posts and opinions on this site are provided AS IS with no warranties. These are our own personal opinions and do not represent our employer’s view in any way.
This article currently have 6,199 views
This work is licensed under a Creative Commons Attribution-NoDerivatives 4.0 International License.