Microsoft KB Archive/922357

= Error message when you try to connect to a Windows XP SP2-based computer by using the Remote.exe tool together with the /SMS:NoSQL switch: ''Security rights to run Remote Tools on this client have been denied&quot; =

Article ID: 922357

Article Last Modified on 2/8/2007

-

APPLIES TO


 * Microsoft Systems Management Server 2003

-





Important This article contains information about how to modify the registry. Make sure to back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows registry



SYMPTOMS
You try to connect to a Microsoft Windows XP Service Pack 2 (SP2)-based computer that is running the Microsoft Systems Management Server (SMS) 2003 Advanced Client by using the Remote.exe tool together with the /SMS:NoSQL switch. After you do this, you may receive the following error message:

Remote Tools: Security rights to run Remote Tools on this client have been denied.

However, when you run the Remote.exe tool without using the /SMS:NoSQL switch, you can connect to the Windows XP SP 2-based computer successfully.

Note You may be able to use the Remote.exe tool together with the /SMS:NoSQL switch to connect to Windows XP SP2-based computer. In this case, you do not receive an error message.



CAUSE
When you use the Remote.exe tool together with the /SMS:NoSQL switch, the system tries to connect to the IPC$ share of the client computer by using a NULL session. The Remote.exe tool then tries to connect to the Server service by using a named pipe to issue the NetServerGetInfo function call. The advanced security features in Windows XP SP2 do not let you connect to the Server service named pipe from a NULL session.



WORKAROUND
To work around this issue, use one of the following methods.

Method 1
If you know the site code name or the database server name, use the Remote.exe command without the /SMS:NoSQL switch. You will be prompted to manually enter the site code or the database server name.

Method 2
If you must use the /SMS:NoSQL switch, create an authenticated session to the client computer before you run the Remote.exe tool.

To create an authenticated session, type net use \\ \IPC$ at a command prompt, and then press ENTER. This command generates a connection to the client computer by using the logged-on user's credentials.

Note You can use another set of credentials in this command. The Remote.exe tool will use the authenticated session to connect to the named pipe. You can also map a drive to a network share before you start the Remote.exe tool. Or, you can locate a shared resource on the client computer before you run the Remote.exe tool. These approaches generate the same outcome as when you connect to the IPC$ share on the SMS Advanced Client.

Method 3
Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

Enable named pipes that connect to the Server service by using null nessions. To do this, use one of the following methods.

Method A: Modify the registry on the client computer
 On the client computer, start Registry Editor. Locate and then click the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver

 Click parameters, and then double-click NullSessionPipes. In the Edit Multi-String dialog box, add the SrvSvc entry by typing SrvSvc on a new line. Click OK, and then exit Registry Editor.</ol>

Method B: Modify the local security policy

 * 1) On the client computer, click Start, click Run, type secpol.msc, and then click OK.
 * 2) In the Local Security Settings window, expand Local Policies, and then click Security Options.
 * 3) In the results pane, double-click Network Access: Shares that can be accessed anonymously.
 * 4) In the Local Policies Settings dialog box, add the SrvSvc entry to the list by typing SrvSvc on a new line.
 * 5) Click OK, and then close the Local Security Settings window.
 * 6) Click Start, click Run, type gpupdate.exe, and then click OK.

Note When you remove the SrvSvc entry from the policy, you do not remove the registry entry if it has been added.

Notes
 * Method 3 does not work if the RestrictAnonymous registry entry is enabled on the client computer or if the RestrictAnonymous policy has been implemented.
 * You do not have to restart the client computer to apply these changes. These changes will be applied as long as the registry change or the local security policy is applied.

<div class="moreinformation_section">

MORE INFORMATION
If the RestrictAnonymous parameter is enabled in the registry or in Group Policy, you may experience the behavior that is discussed in the &quot;Symptoms&quot; section when you try to connect to the following computers:
 * Microsoft Windows NT 4.0-based servers and workstations
 * Microsoft Windows 2000-based servers and workstations
 * Microsoft Windows Server 2003-based servers
 * Windows XP-based workstations

Unless you modify the RestrictAnonymous registry entry or the RestrictAnonymous policy, you cannot connect to the client by using the Remote.exe tool together with the /SMS:NoSQL switch.

Keywords: kbtshoot kbprb KB922357

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.