Alternate Administrator Accounts are not Working with Windows 2008 and Later


When attempting to connect to a target system that is Windows Vista/2008 or newer from a host system that is Windows Vista/2008 or newer, and using alt-admins to connect or manage services, you may receive an error such as Connect failed, error 10001 - No admin access (anonymous only) achieved or admin access denied. Worse yet, this is not a standard Windows networking error. The problem does not exist when connecting to Windows 2003 and earlier systems or when the product is hosted on a 2003 system.

This affects all calls to the Service Control Manager (SCM), which is used to manage services and can affect basic connections.


The issue stems from changes on the Microsoft networking and communications stack that was introduced in Windows Vista/2008 and is outlined in this MS article: Services and RPC/TCP. Microsoft defaults to using RPC/TCP rather than RCP/NP (RPC over named pipes). The difference is that RPC/TCP does not inherit connection credentials while RCP/NP does. Hence the alternate administrators will not work in Windows Vista/2008 and later to a Windows Vista/2008 and later host without forcing the product host to use RPC/NP.


RPC/TCP is controlled by the SCMApiConnectionParam, DisableRPCOverTCP, and DisableRemoteScmEndpoints registry values, which are all under the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control key. All of these values have a REG_DWORD data type. The following procedures show how to use these registry values to control RPC/TCP.

Create a new DWORD at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control called SCMApiConnectionParam. Set its data value to be HEX and enter 80000000.

Restart the application.