Ga naar hoofdinhoud

Access Denied (Standalone/DMZ)

Solving "Access Denied" error on Standalone or DMZ machines

Fix Access Denied on Standalone or DMZ Machines

When monitoring standalone systems or machines in a DMZ, you may encounter an Access Denied error in PIM+ when trying to retrieve system data remotely via WMI or other protocols.
This is often caused by the Windows security setting: LocalAccountTokenFilterPolicy.

What is LocalAccountTokenFilterPolicy?

By default, Windows limits the rights of local administrator accounts when accessed remotely on non-domain (workgroup) systems.
This behavior is controlled by the following registry key:

Registry Key Information

SettingValue
PathHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
NameLocalAccountTokenFilterPolicy
TypeREG_DWORD
Value (recommended)1

If this key is missing or set to 0, local admin accounts will receive a filtered access token when accessed remotely, which removes admin privileges. This causes:

  • Access Denied errors
  • WMI connection failures
  • Inability to retrieve performance counters or event logs remotely

How to Fix It

To allow full remote access for local admin accounts, set LocalAccountTokenFilterPolicy to 1.

Option 1: Registry Editor

  1. Open regedit.exe
  2. Navigate to: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
  3. Right-click → NewDWORD (32-bit) Value
  4. Name it: LocalAccountTokenFilterPolicy
  5. Set the value to 1
  6. Reboot the system or restart related services

Option 2: Command Line

  1. Open cmd.exe as Administrator
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f

Option 3: Powershell

  1. Open powershell.exe as Administrator
  2. Run the following command:
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" ` -Name "LocalAccountTokenFilterPolicy" -Value 1 -Type DWord

What does this change do?

Enabling LocalAccountTokenFilterPolicy grants full administrative rights to local accounts when accessed remotely.
This setting likely resolves the "Access Denied" error in PIM+, as the account is no longer restricted by UAC’s filtered access token.