net user /domain <username> - System error 5 has occurred. Access is denied.

Yaroslav Kraus 1 Reputation point
2021-07-16T06:35:21.757+00:00

Hello!
I have the problem that I am getting an "System error 5 has occurred. Access is denied." when I am trying to run a command "net user /domain <username>" with a regular domain user account (not domain administrator or local administrator).
We need to run this command not as an administrator to load a certain workload for our non admin users, using a script.
On other server systems with the exact the same policy and same domain settings I was able to run this command as a non admin user.
I even exported a policies from the project that does not get an error and imported them, but unfortunately without success...

Internet research says that the GP setting “Network access. Restrict clients allowed to make remote calls to SAM “may be the solution.
I've add the group that should be able to make a net user request, updated the policy on the server and the group was showing up as "allowed". Unfortunately this solution also did not work for me and I still had exactly the same error: "System error 5 has occurred. Access is denied.".

The only difference that the project with this problem has to the project that works is the Windows Version.
The project that works has: Windows W2019 1809 / 17763.1935
The project with a problem: Windows 2019 1809 / 17763.1790

Could you help me to find out the solution for this problem please. So I could bring the project live.
Thank you!

BR

Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
3,784 questions
{count} votes

3 answers

Sort by: Most helpful
  1. Daisy Zhou 24,666 Reputation points Microsoft Vendor
    2021-07-19T01:26:57.303+00:00

    Hello @Yaroslav Kraus ,

    Thank you for posting here.

    Based on the description "I have the problem that I am getting an "System error 5 has occurred. Access is denied." when I am trying to run a command "net user /domain <username>" with a regular domain user account (not domain administrator or local administrator).", did you mean you log on one domain client or member server using one normal domain user account (such as daisy) and then run the command net user /domain daisy, then you got the error message "System error 5 has occurred. Access is denied"?

    If so, would you please check if you log on another domain machine using daisy account and run the command net user /domain daisy, will you get the same error message?

    If so, would you please check if you log on this problematic domain machine using another domain user account (such as daisy1), and run the command net user /domain daisy1, will you get the same error message?

    From the above test, we can check the issue is related to one domain machine or one specific domain user account.

    Hope the information above is helpful to you.

    Should you have any question or concern, please feel free to let us know.

    Best Regards,
    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.


  2. Daisy Zhou 24,666 Reputation points Microsoft Vendor
    2021-07-20T03:49:25.803+00:00

    Hello @Yaroslav Kraus ,

    Thank you for your reply.

    So all non-admin accounts log on any domain-joined machines and run the command, all they will have the same issue, right?

    If so, please test as below.

    Join a new machine to domain (they will only apply default domain policy),

    Create a new normal domain user (they will only apply default domain policy),

    Log on this new machine with existing normal domain user and check if there is still the same issue.

    Log on this new machine with new normal domain user and check if there is still the same issue.

    Log on existing machine with new normal domain user and check if there is still the same issue.

    Hope the information above is helpful to you.

    Should you have any question or concern, please feel free to let us know.

    Best Regards,
    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.


  3. Kraus, Yaroslav 1 Reputation point
    2021-08-16T12:53:25.57+00:00

    Hello all,
    I found a solution for this problem.
    The problem was placed directly is the registry of the domain controllers.
    There are 2 ways how you can solve it.

    Solution 1: Create a policy which allows the specify groups or users to make a SAM request and link it to the whole domain OUs on the top level. So that all computers and users of all OUs gets it.

    Here is the instruction for this policy setting:

    Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network access: Restrict clients allowed to make remote calls to SAM".

    Select "Edit Security" to configure the "Security descriptor:".

    Add the wished User or Group in "Group or user names:"

    Select "Allow" for "Remote Access" in "Permissions for "Administrators".

    Click "OK".

    Make CMD: gpupdate /force on all domain computers and restart them.

    Solution 2: Deleting existing policy or local registry settings for SAM request

    1. Find the policy that specifies the SAM request (if already exists) and edit (allow the wished group or user) or delete it completely.
    2. Open regedit.exe on all domain controllers at the same time and delete the registry key:

    Registry Hive: HKEY_LOCAL_MACHINE
    Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\

    Value Name: RestrictRemoteSAM

    Value Type: REG_SZ
    Value: O:BAG:BAD:(A;;RC;;;BA)

    1. Restart one of the domain contorllers and check if the registry key is still there. In general it should be completely removed and doesn't appear after reboot.

    Info: This registry key restricts all normal users making a "net user /domain <username>" request.

    1. Try the "net user /domain <username>" request as normal user (Make "gpupdate /force" and restart the computer running the request if needed)

    BR,
    Yaroslav Kraus

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.