I have researched this at length, but cannot find a solution to the specific issue I'm getting. Evidently there are a number of similar issues that regularly cause problems for people trying to connect or issue remote commands to a Windows server, but none of the solutions I've found help in this case.
Scenario (no domain involved):
- UserA has a workgroup account on WorkstationA (Win7 Ultimate).
- UserA has a workgroup account on ServerA (2012 R2).
- UserA is in the Administrators group on both machines.
With this setup, UserA is able to remote desktop to the server and carry out administrative tasks.
But if UserA tries to shut down ServerA from a WorkstationA command prompt, even from an administrator command prompt, access is denied:
shutdown /m \\ServerA /t 0 /s
ServerA: Access is denied.(5)
Similarly, direct access is denied to the server's filesystem using Windows Explorer, which triggers a username/password dialog.
And here's the thing:
- All this used to work, on Server 2008 and 2008R2
- If UserA logs on to WorkstationA as the user called Administrator (instead of the UserA account which is in the Administrators group on both machines), it all works.
Best Answer
I've found the cause, and it's none other than our dear friend UAC.
I stumbled on this by experimentation, after recalling that (depending on settings) UAC will prompt members of the Administrators group for privilege elevation, while the built-in Administrator gets automatic elevation without prompting. This led me to wonder if it was an issue with prompting a remote user.
I found that with UAC disabled, everything started to work as expected.
Unfortunately, there does not appear to be any setting that allows these things to work with UAC enabled. I tried all the UAC-related policy settings (such as "elevate administrators without prompting") in case they might solve my issue as a side-effect, but found no joy there.
I've just booted up a 2008R2 server to double-check what I said in the question about earlier versions, and it is indeed the case that with UAC enabled, it allows the access in question from the same UserA on WorkstationA.
So it seems this behaviour has changed in 2012 or as a result of an update.
So I have an answer, but no solution yet. I do not intend to mark this answer as accepted.