While working with PowerShell Remoting (PSRemoting), I was able to successfully connect to a remote machine using Enter-PSSession, but any administrative command—such as resetting the local Administrator password—failed with:
System error 5 has occurred.
Access is denied.
Even though the account I used for PSRemoting was a member of both the Administrators and Remote Management Users groups, it still received an access-denied error when executing commands like net user
PS vm02 > Enter-PSSession -ComputerName 10.0.0.4 -Credential vmadmin [10.0.0.4]: PS C:\Users\vmadmin\Documents> net user azureadmin Computer@123 net : System error 5 has occurred. + CategoryInfo : NotSpecified: (System error 5 has occured.:String) [], RemoteExecution + FullyQualifiedErrorId : NativeCommandError Access is denied. [10.0.0.4]: PS C:\Users\vmadmin\Documents>
This occurs because PowerShell Remoting does not automatically grant full administrative privileges to local accounts on non-domain-joined systems, even if they belong to the Administrators group.
UAC remote restrictions cause these local admin accounts to receive a filtered (limited) token during remote logon.
Fix: Enable Full Administrator Token for Local Accounts
To allow local administrator accounts to run remote commands with a full, elevated token, you must enable the LocalAccountTokenFilterPolicy registry setting on the target machine.
Run the following on the server:
New-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name LocalAccountTokenFilterPolicy -PropertyType DWord -Value 1
LocalAccountTokenFilterPolicy : 1
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
PSChildName : System
PSDrive : HKLM
PSProvider : Microsoft.PowerShell.Core\Registry
This disables UAC remote token filtering and allows local administrators to run elevated commands over PSRemoting.
Part 1: Bypass the Domain Wall: How to Enable PSRemoting WinRM in a Workgroup Environment
Part 2: PowerShell Remoting Access is Denied: How to Fix PSRemoting for Administrators Group Accounts
Part 3: PowerShell PSRemoting Fix: Bypassing "Access is Denied" for Privileged Admin Commands
Apply the Change
After setting the registry entry:
-
Exit the current PSSession.
-
Reconnect using Enter-PSSession so the new token applies.
-
Run the administrative commands again—they should now succeed.
Useful Articles
Installing, importing and using any module in powershell
Microsoft PowerShell: Check Windows license activation status
Find next available free drive letter using PowerShell
Copy Files with PowerShell Remoting WINRM Protocol
Powershell Find application window state minimized or maximized
How to Install and Use Microsoft PowerShell on Linux
Configure PowerShell remoting between Windows and Linux
Get-PSRepository WARNING Unable to find module repositories
Invoke-WebRequest : The underlying connection was closed: An unexpected error occurred on a send
Creating an internal PowerShell module repository
How to sign PowerShell ps1 scripts
PowerShell Convert MAC address to Link-local address IPv6
PowerShell fix repair The trust relationship between this workstation and the primary domain failed
Resovled issue with PowerShell - Trust relationship Rejoin computers in domain without restart
POWERSHELL PS REMOTING BETWEEN STANDALONE WORKGROUP COMPUTERS
POWERSHELL DSC XACTIVEDIRECTORY ERROR - A NETBIOS DOMAIN NAME MUST BE SPECIFIED
DSC (DESIRED STATE CONFIGURATION) : DEPLOYING ACTIVE DIRECTORY
THE POWERSHELL XACTIVEDIRECTORY PROVIDER DOES NOT EXIST AT THE POWERSHELL MODULE PATH NOR IS IT REGISTERED AS A WMI PROVIDER
PowerShell remoting over HTTPS using self-signed SSL certificate
Configure Powershell WinRM to use OpenSSL generated Self-Signed certificate
