Windows 7 Unable to remotely stop service. Classic Access is Denied problem - but only for Windows 7

jfrm

New Member
I have spent days trying to solve this problem - so any suggestions will be most gratefully received! I run a group of Windows XP Professional (SP3, 32 bit) machines in a workgroup, all using the same id and password, the id being in the administrators group on each machine. One of the machines backs up all the others each night automatically and to do this it needs to first down a service or 2 on the remote machine first. This has worked for donkey's years without trouble using netsvc and/or sc.exe. Until now - having taken the plunge with Windows 7 (64 bit) professional on the latest machine. The id and groups are set up in the same way but the Windows 7 machine does not allow the XP machine to stop its service. I have read dozens of forums (fora?) and advice websites and have tried the following without success already:

* Both Windows Firewall and Windows defender are stopped and disabled on the Windows 7 machine.
* Previously when this problem occurred for an XP machine, a solution that worked was to set Folder Options - deselected 'Simple File Sharing' and then reboot. The equivalent for Win7 seems to be 'Use Sharing Wizard'. This has been deselected.
* The service stop doesn't work on the XP machines unless a drive is mapped from the backing up machine to the machine to be backed up. Accordingly, a drive is also mapped to a share on the Win7 machine.
* Administrative Tools->Local Security Settings->Local Policies->Security Options - "Network Access:Sharing and security model for local accounts" is set to "Classic - local users..."
* Much advice centres around running the command box "as an administrator" but this doesn't seem to be an option for XP. Therefore I assume not applicable.
* One person suggested for Vista, setting [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\LocalAccountTokenFilterPolicy] to 1 but I cannot find this on Windows 7. Is it a Vista thing only?

Perhaps there are other Security settings or policies that I need to look at?
 
Try FilterAdministratorToken to 1 in the same location; or create "LocalAccountTokenFilterPolicy" in the same location. If it still fails, the answer may be in the local machine group policy (gpedit.msc) on the Windows 7 machine. Where the setting is, I am unsure. The steps you have taken are prudent, and I have used them before on XP machines. The best solution is going to be Windows Server, of course, but we know what the cost differential is.
 
Very good thanks - significant progress now. I have created the value [HKLM\SOFTWARE\Microsoft Windows\CurrentVersion\Policies\system\LocalAccountTokenFilterPolicy] set to 1 on the Windows 7 machine. I can then run the command
runas /user:machine\username "sc \\machine query"
from the XP machine command prompt and it works!

None-the-less, my problem still exists. If I run the command direct:
sc \\machine query,
I still get the Access is Denied result.

And while the runas command is very useful, it prompts for a password so I cannot run it from an automated script. So near and yet so far. Can anyone think of a single command line that will enable me to do this thing?

I am astonished at Microsoft who seem to be intent on making everyone's lives harder. It is most annoying that they have effectively broken the intrinsic ability to remotely deal with services on a machine and then even worse made fixing the problem stupidly obscure.
 
At last it is working. I'm not sure what changed, possibly just starting a new command prompt, but sc is now remotely stopping and starting the services. Setting LocalAccoun tTokenFilterPolicy was the missing factor that did the trick. Thank you Mike for the idea. Interestingly, netsvc still does not work but the puzzle is solved for sc.
 
You're very welcome. The authentication standards in Windows 7 are far more evolved from XP and this dates back to even Vista. The method you described in your original post is the same way that Symantec End-Point is distributed on a mass-scale through hundreds of computers. This is how I have some background in understanding what you are trying to do. I imagine that for some security purpose extensive alterations have been made to make XP <-> 7 interactions require additional exchanges. The idea that security in XP is lax, whereas in Vista and 7 it is more prominent is not a myth at all. Both of the latter operating systems are seriously security hardened compared to Windows XP. Even on a workgroup, it is going to give you a hassle making connections like this. Server would likely let you make the security changes you want on all of the machines through group policy, but I know you are trying to save the $2,000! Cannot blame you on that one at all. I am curious if your method would work between multiple Windows 7 machines. So whereas if all the machines are on the same platform, would you still have the same problem? For some reason I sincerely doubt that you would. Windows 7 designates Windows XP to be less secure - and perhaps rightfully so to a great degree. Of course it would also be disadvantageous to allow you to control many client systems from another copy of Windows client - why then would you need Windows server? I think this is a thought process that must have gone into the design.

If you are on a mostly private LAN, though, security becomes less of an issue, especially if you have ports that are closed, and secure, on your hardware firewall. The thing is, with XP, when you have disabled the software firewall, disabled simple file sharing, and so forth, it is almost like inviting complete destruction over your systems! The security on Vista and 7, I have found to be, infinitely better, and far less prone to successful attacks. I suspect this extra security is the reason for your problem
 
Back
Top