PowerShell Access Denied only for Local user who is also Admin but not for domain user who is local admin

Question

We are trying to setup a machine for PSRemoting using the following command

Set-PSSessionConfiguration -Name Microsoft.PowerShell -showSecurityDescriptorUI

for some reason this only works when we open the powershell in the context of a domain user who is a local administrator.

PS C:\Windows\system32> Set-PSSessionConfiguration -Name Microsoft.PowerShell -showSecurityDescriptorUI 

Confirm
Are you sure you want to perform this action?
Performing operation "Set-PSSessionConfiguration" on Target "Name:
Microsoft.PowerShell".
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help
(default is "Y"):A
Access is denied.
At line:15 char:26
+    if ((!$pluginName) -or <<<<  !(test-path "$pluginDir"))
    + CategoryInfo          : InvalidOperation: (:) [], InvalidOperationExcept
   ion
    + FullyQualifiedErrorId : WsManError

Join-Path : Access is denied.
At line:22 char:35
+    $pluginFileNamePath = Join-Path <<<<  "$pluginDir" 'FileName'
    + CategoryInfo          : NotSpecified: (:) [Join-Path], InvalidOperationE
   xception
    + FullyQualifiedErrorId : System.InvalidOperationException,Microsoft.Power
   Shell.Commands.JoinPathCommand

Test-Path : Cannot bind argument to parameter 'Path' because it is an empty str
ing.
At line:23 char:19
+    if (!(test-path <<<<  "$pluginFileNamePath"))
    + CategoryInfo          : InvalidData: (:) [Test-Path], ParameterBindingVa
   lidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationErrorEmptyStringNotAl
   lowed,Microsoft.PowerShell.Commands.TestPathCommand

Get-Item : Cannot bind argument to parameter 'LiteralPath' because it is an emp
ty string.
At line:29 char:43
+    $pluginFileName = get-item -literalpath <<<<  "$pluginFileNamePath"
    + CategoryInfo          : InvalidData: (:) [Get-Item], ParameterBindingVal
   idationException
    + FullyQualifiedErrorId : ParameterArgumentValidationErrorEmptyStringNotAl
   lowed,Microsoft.PowerShell.Commands.GetItemCommand

Set-PSSessionConfiguration : Session Configuration "Microsoft.PowerShell" is no
t a PowerShell based shell.
At line:89 char:27
+ Set-PSSessionConfiguration <<<<  $args[0] $args[1] $args[2] $args[3] $args[4]
$args[5] $args[6] $args[7] $args[8]
    + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorExcep
   tion
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorExceptio
   n,Set-PSSessionConfiguration

PS C:\Windows\system32>

it looks to me that there is something that is preventing access to the wsman:\\localhost\\plugin but can't understand how that can be fixed. This only happens in our test bed, but in our development environment we have no such issues.

Does any one have any clue as to what additional user access is for this command to work that an local administrator user may not have?

Answer 1

Here is an article that explains how to resolve this problem... basically to fix this you set LocalAccountTokenFilterPolicy to True in the registry.

http://www.shirmanov.com/2011/04/winrm-access-is-denied-on-local.html