Error message when you try to connect to a Windows XP SP2-based computer by using the Remote.exe tool together with the /SMS:NoSQL switch: ''Security rights to run Remote Tools on this client have been denied" (922357)


The information in this article applies to:

  • Microsoft Systems Management Server 2003
Important This article contains information about how to modify the registry. Make sure to back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows registry

SYMPTOMS

You try to connect to a Microsoft Windows XP Service Pack 2 (SP2)-based computer that is running the Microsoft Systems Management Server (SMS) 2003 Advanced Client by using the Remote.exe tool together with the /SMS:NoSQL switch. After you do this, you may receive the following error message:
Remote Tools: Security rights to run Remote Tools on this client have been denied.
However, when you run the Remote.exe tool without using the /SMS:NoSQL switch, you can connect to the Windows XP SP 2-based computer successfully.

Note You may be able to use the Remote.exe tool together with the /SMS:NoSQL switch to connect to Windows XP SP2-based computer. In this case, you do not receive an error message.

CAUSE

When you use the Remote.exe tool together with the /SMS:NoSQL switch, the system tries to connect to the IPC$ share of the client computer by using a NULL session. The Remote.exe tool then tries to connect to the Server service by using a named pipe to issue the NetServerGetInfo function call. The advanced security features in Windows XP SP2 do not let you connect to the Server service named pipe from a NULL session.

WORKAROUND

To work around this issue, use one of the following methods.

Method 1

If you know the site code name or the database server name, use the Remote.exe command without the /SMS:NoSQL switch. You will be prompted to manually enter the site code or the database server name.

Method 2

If you must use the /SMS:NoSQL switch, create an authenticated session to the client computer before you run the Remote.exe tool.

To create an authenticated session, type net use \\client computer name\IPC$ at a command prompt, and then press ENTER. This command generates a connection to the client computer by using the logged-on user's credentials.

Note You can use another set of credentials in this command. The Remote.exe tool will use the authenticated session to connect to the named pipe. You can also map a drive to a network share before you start the Remote.exe tool. Or, you can locate a shared resource on the client computer before you run the Remote.exe tool. These approaches generate the same outcome as when you connect to the IPC$ share on the SMS Advanced Client.

Method 3

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

Enable named pipes that connect to the Server service by using null nessions. To do this, use one of the following methods.

Method A: Modify the registry on the client computer

  1. On the client computer, start Registry Editor.
  2. Locate and then click the following registry subkey:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver

  3. Click parameters, and then double-click NullSessionPipes.
  4. In the Edit Multi-String dialog box, add the SrvSvc entry by typing SrvSvc on a new line.
  5. Click OK, and then exit Registry Editor.

Method B: Modify the local security policy

  1. On the client computer, click Start, click Run, type secpol.msc, and then click OK.
  2. In the Local Security Settings window, expand Local Policies, and then click Security Options.
  3. In the results pane, double-click Network Access: Shares that can be accessed anonymously.
  4. In the Local Policies Settings dialog box, add the SrvSvc entry to the list by typing SrvSvc on a new line.
  5. Click OK, and then close the Local Security Settings window.
  6. Click Start, click Run, type gpupdate.exe, and then click OK.

    Note When you remove the SrvSvc entry from the policy, you do not remove the registry entry if it has been added.
Notes
  • Method 3 does not work if the RestrictAnonymous registry entry is enabled on the client computer or if the RestrictAnonymous policy has been implemented.
  • You do not have to restart the client computer to apply these changes. These changes will be applied as long as the registry change or the local security policy is applied.

MORE INFORMATION

If the RestrictAnonymous parameter is enabled in the registry or in Group Policy, you may experience the behavior that is discussed in the "Symptoms" section when you try to connect to the following computers:
  • Microsoft Windows NT 4.0-based servers and workstations
  • Microsoft Windows 2000-based servers and workstations
  • Microsoft Windows Server 2003-based servers
  • Windows XP-based workstations
Unless you modify the RestrictAnonymous registry entry or the RestrictAnonymous policy, you cannot connect to the client by using the Remote.exe tool together with the /SMS:NoSQL switch.
Modification Type:MajorLast Reviewed:7/24/2006
Keywords:kbprb KB922357 kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.