lithnet / access-manager

Access Manager provides web-based access to local admin (LAPS) passwords, BitLocker recovery keys, and just-in-time administrative access to Windows computers in a modern, secure, and user-friendly way.
Other
241 stars 20 forks source link

[HELP] Acess Denied #159

Closed red-erik closed 2 years ago

red-erik commented 2 years ago

Access Denied

Hello, basic setup with a Single Forest with multiple domains. Service used is a gMSA with proper delegations on requested OU. Permission assigned correctly but in the log we receive "System.UnauthorizedAccessException: Access is denied.". Through web interface we receive "Unable to process request An error occurred while trying to access the local admin password". Any help or suggestion greatly appreciated. Regards, Red.

red-erik commented 2 years ago

Solved: to help others, the problem is that gMSA account NEEDS write access to AdmPwdExpirationTime too and not only read access to pwd attibutes. Analyzing you script it is clear but I suggest you to underline it into instructions too. https://github.com/lithnet/access-manager/wiki/Creating-a-service-account-for-the-Access-Manager-Service Domain permissions AMS does need specific rights depending on how you plan to use it. For example, if you are reading Microsoft LAPS passwords, then you'll need to ensure the appropriate read "AND WRITE" permissions are granted.

milanbla commented 1 month ago

Hi, In my case, it said something like 'the computer does not have a password and in the log, I had errors : Unable to get password from provider 'Windows LAPS (encrypted) AD provider' System.UnauthorizedAccessException: Access is denied. This solution also helped me 👍