Windows Remote UAC Setting in a Group Policy Workaround
search cancel

Windows Remote UAC Setting in a Group Policy Workaround

book

Article ID: 118437

calendar_today

Updated On: 10-30-2019

Products

CA Privileged Access Manager - Cloakware Password Authority (PA) CA Privileged Access Manager (PAM)

Issue/Introduction

PAM Admin would like to know how to set the GPO Option for our UAC Policy for Windows Remote:

If User Access Control is enabled on the target server, and the administrator account for password management is a local administrator, set this registry value. This registry setting gives the Windows Remote Connector access to perform SMB and WMI operations on the target server: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy = dword:00000001

Environment

PAM 3.x

Resolution

LocalAccountTokenFilterPolicy can not be set through an explicit configuration option within the Group Policy Management Editor.  Instead it needs to be set through the definition of a custom registry key property.  Within the Group Policy Management Editor this can be done at the following location:

  1. gpmc.msc
  2. Create an Organizational Unit called "PAM Windows Remote Servers"
  3. Add all PAM Windows Remote Servers to this list
  4. Right Click on this new Organizational Unit
  5. Select "Create a GPO in this domain, and Link it here"
  6. Give the GPO a "NAME" (IE: PAM WMI Registry Settings GPO)
  7. Select this newly create GPO
  8. Right click on it and select "Edit"
  9. Under Computer Configuration >> Preferences >> Windows Settings 
  10. Right Click Registry >> New >> Registry Item:


Action: Update
Hive: HKEY_LOCAL_MACHINE
Key Path: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System



Value Name: LocalAccountTokenFilterPolicy
Value Type: REG_DWORD
Value Data: 1

Example:



User-added image

 You will also need to ensure the security policy is not restricting "Minimum password age" if you will be setting "Account can change own password" as the Windows Password Policy will be in effect prohibiting multiple password rotation in a day.





If the Windows Server is  a standalone(not joining AD domain) then you can modify the local security policy but if it joins a domain then you will need to modify this from GPO at the domain controller.

If you select "Use the following account to force change password" and choose another admin account then the password can be rotated multiple times a day even if the "Minimum password age" is set to 1.