Error message when you try to use the "runas" command, the "Run as Administrator" option, or the "Run as a different user" option after you upgrade from Windows Server 2003 or from Windows Server 2008 to Windows Server 2008 R2: "Access is denied"

Article ID: 977513 - View products that this article applies to.
Expand all | Collapse all

On This Page

SYMPTOMS

Consider the following scenario:
  • You upgrade a computer that is running Windows Server 2003 or Windows Server 2008 to Windows Server 2008 R2.
  • You log on as a standard user.
  • You try to use one of the following features:
    • runas command
    • Run as Administrator option
    • Run as a different user option
In this scenario, you receive the following error message:
Access is denied
Back to the top | Give Feedback

CAUSE

This issue occurs because the discretionary access control list (DACL) for the Secondary Logon service is not set correctly when you upgrade from Windows Server 2003 or from Windows Server 2008. This problem prevents a standard user from starting this service and from running an application as a different user.
Back to the top | Give Feedback

WORKAROUND

To work around this issue, use the most appropriate workaround from the following workarounds.

Workaround 1: Use the Sc.exe command prompt utility

You can use the Sc.exe command prompt utility to set the security to the default configuration after you upgrade the server.

Note You should log on as an administrator before you run these commands.

To do this, follow these steps:
  1. Open a Command Prompt window.
  2. At the command prompt, type the following command, and then press ENTER:
    net stop seclogon
  3. At the command prompt, type the following command, and then press ENTER:
    sc sdset seclogon d:(a;;cclcswrpwpdtlocrrc;;;sy)(a;;ccdclcswrpwpdtlocrsdrcwdwo;;;ba)(a;;cclcswrpdtlocrrc;;;iu)(a;;cclcswdtlocrrc;;;su)(a;;cclcswrpdtlocrrc;;;au)s:(au;fa;ccdclcswrpwpdtlocrsdrcwdwo;;;wd)
    Note This command is wrapped for readability.
  4. Close the Command Prompt window.
  5. Try to use one of the following features:
    • runas command
    • Run as Administrator option
    • Run as a different user option
    Also, make sure that you can switch users and that the Secondary Logon service starts correctly.

Workaround 2: Use Group Policy

You can use the Group Policy Management Console to configure a domain-based policy that sets security to the default configuration after you upgrade the server. A new Group Policy object (GPO) should be created for this workaround and should be linked so that the new GPO is applied to only the affected computers.

To do this, follow these steps:
  1. Edit Group Policy in the Group Policy Management Console.
  2. Locate the following policy:
    Computer Configuration\Policies\Windows Settings\Security Settings\System Services
  3. Open the Secondary Logon service.
  4. Click to select the Define this policy setting check box, and then click Enabled.
  5. Set the service startup mode to Manual.
  6. Expand the Security node to make sure that the following properties and objects are set to Allow.
    Collapse this tableExpand this table
    PropertyObjects
    Authenticated UsersQuery Template, Query Status, Enumerate Dependents, Start, Pause and continue, Interrogate, Read Permissions, User Defined Control
    Builtin\AdministratorsFull Control
    InteractiveQuery Template, Query Status, Enumerate Dependents, Start, Pause and continue, Interrogate, Read Permissions, User Defined Control
    ServiceQuery Template, Query Status, Enumerate Dependents, Pause and continue, Interrogate, User Defined Control
    SystemQuery Template, Query Status, Enumerate Dependents, Start, Pause and continue, Interrogate, Stop
  7. Click OK to apply the security changes.
  8. Click OK to apply the Group Policy changes.
  9. Apply the GPO to the affected computers by waiting for Group Policy to update or by starting the update manually.
  10. Try to use one of following features:
    • runas command
    • Run as Administrator option
    • Run as a different user option
    Also, make sure that you can switch users and that the Secondary Logon service starts correctly.
Note We do not recommend this workaround because the permissions are reapplied during Group Policy updates. However, you have to fix the incorrect security only one time after the upgrade.
Back to the top | Give Feedback

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
Back to the top | Give Feedback

MORE INFORMATION

For more information about the runas command, please visit the following Microsoft TechNet Web site:
http://technet.microsoft.com/en-us/library/bb490994.aspx
(http://technet.microsoft.com/en-us/library/bb490994.aspx)
For more information about how to use the Group Policy Management Console, please visit the following Microsoft TechNet Web site:
http://technet.microsoft.com/en-us/library/cc753298.aspx
(http://technet.microsoft.com/en-us/library/cc753298.aspx)
Back to the top | Give Feedback

Properties

Article ID: 977513 - Last Review: November 19, 2009 - Revision: 1.1
APPLIES TO
  • Windows Server 2008 R2 Datacenter
  • Windows Server 2008 R2 Enterprise
  • Windows Server 2008 R2 Standard
  • Windows Web Server 2008 R2
Keywords: 
kbtshoot kberrmsg kbbug kbexpertiseinter kbsurveynew kbprb KB977513
Back to the top | Give Feedback

Give Feedback

 
Back to the topBack to the top