Error on the powershell script Error*** OpenPolicy -1073610729

Posted on 2016-11-17
Last Modified: 2016-12-01
I have powershell remoting enabled and able to run other scripts on the remote servers, but getting this error when trying to execute the script attached. Please advise.

Runing powershell in Admin mode with domain admin creds. All computers are on the same domain and that account has local rights. thank you.

Error I am getting:
UserRight    : System.Management.Automation.RuntimeException:  Granting SeServiceLogonRight to testtarget\username on \\servername 02OpenPolicy:   ***Error*** OpenPolicy -1073610729

Worked on only local computer
ComputerName : Localserver01
ServiceName  : QProcessor
UserRight    : OK
GetService   : OK
Change       : OK
Stop         : OK
Start        : OK

ComputerName : RemoteServer02
ServiceName  : QProcessor
UserRight    : System.Management.Automation.RuntimeException:  Granting SeServiceLogonRight to testtarget\username on \\Remote SErver02OpenPolicy:   ***Error*** OpenPolicy -1073610729
GetService   :
Change       :
Stop         :
Start        :
Question by:creative555
  • 4

Expert Comment

by:Kevin Stanush
ID: 41892459
That error means "RPC is unavailable".  Unfortunately, this is one of those 'unhelpful' errors in Windows.  You can get this error is the computer is OFF or not on the network, or if something on the computer is blocking the remote request, making the computer essentially the same as not being on the network.  These things can include a firewall or some other blocking mechanism.  Also check your name resolution for your computer address, ie make sure you can ping the address.

Accepted Solution

creative555 earned 0 total points
ID: 41893685
I just tried this command invoke-command -computername serverpor02 {get-service *bits*}
and receive access denied.

My account is domain admin and is in the local admin group. Why is it getting access denied?

 Connecting to remote server serverpor02 failed with the following error message : Access is denied. For more information,
see the about_Remote_Troubleshooting Help topic.
    + CategoryInfo          : OpenError: (azdcstpor02:String) [], PSRemotingTransportException
    + FullyQualifiedErrorId : AccessDenied,PSSessionStateBroken

Assisted Solution

creative555 earned 0 total points
ID: 41902725
Someone helped me to fix this script. If someone can explain why it is working now with this modification than before, would be great!
No more errors.

#Use the following from the command line
#$ComputerList = Get-Content C:\cfscripts\Servers.txt
#Import-Csv .\Services.csv | % {.\Set-ServiceLogon.ps1 -ServiceName $_.ServiceName -ServiceAccount $_.ServiceAccount -ServicePassword $_.ServicePassword -ComputerList $ComputerList}

       [string[]]$ComputerList = @($ENV:ComputerName),
       $TimeoutStop = 120,        # Seconds
       $TimeoutStart = 120        # Seconds
$ScriptBlock = {
$SetUserRight = $True
$LSAWrapper = @'
using System;
namespace MyLsaWrapper
    using System.ComponentModel;
    using System.Runtime.InteropServices;
    using System.Security;
    using System.Security.Principal;
    using LSA_HANDLE = IntPtr;

        internal int Length;
        internal IntPtr RootDirectory;
        internal IntPtr ObjectName;
        internal int Attributes;
        internal IntPtr SecurityDescriptor;
        internal IntPtr SecurityQualityOfService;

    [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
        internal ushort Length;
        internal ushort MaximumLength;
        internal string Buffer;

    sealed class Win32Sec
        [DllImport("advapi32", CharSet = CharSet.Unicode, SetLastError = true), SuppressUnmanagedCodeSecurityAttribute]
        internal static extern uint LsaOpenPolicy(
           LSA_UNICODE_STRING[] SystemName,
           ref LSA_OBJECT_ATTRIBUTES ObjectAttributes,
           int AccessMask,
           out IntPtr PolicyHandle

        [DllImport("advapi32", CharSet = CharSet.Unicode, SetLastError = true), SuppressUnmanagedCodeSecurityAttribute]
        internal static extern uint LsaAddAccountRights(
           LSA_HANDLE PolicyHandle,
           IntPtr pSID,
           LSA_UNICODE_STRING[] UserRights,
           int CountOfRights

        internal static extern int LsaNtStatusToWinError(int NTSTATUS);

        internal static extern int LsaClose(IntPtr PolicyHandle);


    sealed class Sid : IDisposable
        public IntPtr pSid = IntPtr.Zero;
        public SecurityIdentifier sid = null;

        public Sid(string account)
            sid = (SecurityIdentifier)(new NTAccount(account)).Translate(typeof(SecurityIdentifier));
            Byte[] buffer = new Byte[sid.BinaryLength];
            sid.GetBinaryForm(buffer, 0);

            pSid = Marshal.AllocHGlobal(sid.BinaryLength);
            Marshal.Copy(buffer, 0, pSid, sid.BinaryLength);

        public void Dispose()
            if (pSid != IntPtr.Zero)
               pSid = IntPtr.Zero;

    public sealed class LsaWrapper : IDisposable
        enum Access : int
            POLICY_READ = 0x20006,
            POLICY_ALL_ACCESS = 0x00F0FFF,
            POLICY_EXECUTE = 0X20801,
            POLICY_WRITE = 0X207F8
        const uint STATUS_ACCESS_DENIED = 0xc0000022;
        const uint STATUS_INSUFFICIENT_RESOURCES = 0xc000009a;
        const uint STATUS_NO_MEMORY = 0xc0000017;

        IntPtr lsaHandle;

        public LsaWrapper()
            : this(null)
        { }
        // // local system if systemName is null
        public LsaWrapper(string systemName)
            LSA_OBJECT_ATTRIBUTES lsaAttr;
            lsaAttr.RootDirectory = IntPtr.Zero;
            lsaAttr.ObjectName = IntPtr.Zero;
            lsaAttr.Attributes = 0;
            lsaAttr.SecurityDescriptor = IntPtr.Zero;
            lsaAttr.SecurityQualityOfService = IntPtr.Zero;
            lsaAttr.Length = Marshal.SizeOf(typeof(LSA_OBJECT_ATTRIBUTES));
            lsaHandle = IntPtr.Zero;
            LSA_UNICODE_STRING[] system = null;
            if (systemName != null)
                system = new LSA_UNICODE_STRING[1];
                system[0] = InitLsaString(systemName);

            uint ret = Win32Sec.LsaOpenPolicy(system, ref lsaAttr,
            (int)Access.POLICY_ALL_ACCESS, out lsaHandle);
            if (ret == 0)
            if (ret == STATUS_ACCESS_DENIED)
                throw new UnauthorizedAccessException();
            if ((ret == STATUS_INSUFFICIENT_RESOURCES) || (ret == STATUS_NO_MEMORY))
                throw new OutOfMemoryException();
            throw new Win32Exception(Win32Sec.LsaNtStatusToWinError((int)ret));

        public void AddPrivileges(string account, string privilege)
            uint ret = 0;
            using (Sid sid = new Sid(account))
                LSA_UNICODE_STRING[] privileges = new LSA_UNICODE_STRING[1];
                privileges[0] = InitLsaString(privilege);
                ret = Win32Sec.LsaAddAccountRights(lsaHandle, sid.pSid, privileges, 1);
            if (ret == 0)
            if (ret == STATUS_ACCESS_DENIED)
                throw new UnauthorizedAccessException();
            if ((ret == STATUS_INSUFFICIENT_RESOURCES) || (ret == STATUS_NO_MEMORY))
                throw new OutOfMemoryException();
            throw new Win32Exception(Win32Sec.LsaNtStatusToWinError((int)ret));

        public void Dispose()
            if (lsaHandle != IntPtr.Zero)
                lsaHandle = IntPtr.Zero;
        // helper functions

        static LSA_UNICODE_STRING InitLsaString(string s)
            // Unicode strings max. 32KB
            if (s.Length > 0x7ffe)
                throw new ArgumentException("String too long");
            lus.Buffer = s;
            lus.Length = (ushort)(s.Length * sizeof(char));
            lus.MaximumLength = (ushort)(lus.Length + sizeof(char));
            return lus;
$WmiReturnValueMap = @{    ## 'Change method of the Win32_Service class',
       [uint32]0 =         'The request was accepted.'
       [uint32]1 =         'The request is not supported.'
       [uint32]2 =         'The user did not have the necessary access.'
       [uint32]3 =         'The service cannot be stopped because other services that are running are dependent on it.'
       [uint32]4 =         'The requested control code is not valid, or it is unacceptable to the service.'
       [uint32]5 =         'The requested control code cannot be sent to the service because the state of the service (Win32_BaseService.State property) is equal to 0, 1, or 2.'
       [uint32]6 =         'The service has not been started.'
       [uint32]7 =         'The service did not respond to the start request in a timely fashion.'
       [uint32]8 =         'Unknown failure when starting the service.'
       [uint32]9 =         'The directory path to the service executable file was not found.'
       [uint32]10 = 'The service is already running.'
       [uint32]11 = 'The database to add a new service is locked.'
       [uint32]12 = 'A dependency this service relies on has been removed from the system.'
       [uint32]13 = 'The service failed to find the service needed from a dependent service.'
       [uint32]14 = 'The service has been disabled from the system.'
       [uint32]15 = 'The service does not have the correct authentication to run on the system.'
       [uint32]16 = 'This service is being removed from the system.'
       [uint32]17 = 'The service has no execution thread.'
       [uint32]18 = 'The service has circular dependencies when it starts.'
       [uint32]19 = 'A service is running under the same name.'
       [uint32]20 = 'The service name has invalid characters.'
       [uint32]21 = 'Invalid parameters have been passed to the service.'
       [uint32]22 = 'The account under which this service runs is either invalid or lacks the permissions to run the service.'
       [uint32]23 = 'The service exists in the database of services available from the system.'
       [uint32]24 = 'The service is currently paused in the system.'
    $Return = "" | Select-Object -Property 'ComputerName', 'ServiceName', 'UserRight', 'GetService', 'Change', 'Stop', 'Start'
    $Return.ComputerName = $ComputerName
    $Return.ServiceName = $ServiceName
    Try {
            $Step = 'UserRight'
            If ($SetUserRight) {
                try {
                    Add-Type -TypeDefinition $LSAWrapper -ErrorAction SilentlyContinue 
                    $lsa = New-Object MyLsaWrapper.LsaWrapper($ENV:ComputerName)
                    $Return.$Step = 'OK'
                } catch {
                    Throw $_
            } Else {
                $Return.$Step = 'SKIPPED'
            $Step = 'GetService'
            If (-not ($ServiceWmi = Get-WmiObject -Class Win32_Service -Filter "Name='$($ServiceName)'" -ErrorAction Stop)) {
                Throw "Get-WmiObject -Class Win32_Service : Cannot find any service with service name '$($ServiceName)'."
            $ServiceNet = Get-Service -Name $ServiceName -ErrorAction Stop
            $Return.$Step = 'OK'
            $Step = 'Change'
            $ChangeResult = $ServiceWmi.Change($null, $null, $null, $null, $null, $null, $ServiceAccount, $ServicePassword)
            If ($ChangeResult.ReturnValue -eq 0) {
                $Return.$Step = 'OK'
                $Step = 'Stop'
                If ($ServiceNet.Status -eq 'Running') {
                $ServiceNet.WaitForStatus('Stopped', [Timespan]::FromSeconds($TimeoutStop))
                $Return.$Step = 'OK'
                $Step = 'Start'
                $ServiceNet.WaitForStatus('Running', [Timespan]::FromSeconds($TimeoutStart))
                $Return.$Step = 'OK'
            } Else {
                $Return.$Step = "$($ChangeResult.ReturnValue): $($WmiReturnValueMap[$ChangeResult.ReturnValue])"
    } Catch {
            $Return.$Step = $_.Exception
    } Finally {

$ProgressCount = 0
ForEach ($ComputerName In $ComputerList) {
       Write-Progress -Activity "[$($ProgressCount)/$($ComputerList.Count)] Changing service account for '$($ServiceName)' to $($ServiceAccount)'" -Status $ComputerName -PercentComplete (100 * $ProgressCount / $ComputerList.Count)
       $ProgressCount += 1
       Invoke-Command -ComputerName $ComputerName -ScriptBlock $ScriptBlock -ArgumentList $ComputerName,$ServiceName,$ServiceAccount,$ServicePassword,$TimeoutStop,$TimeoutStart
Write-Progress -Activity "Done" -Completed 

Open in new window


Author Comment

ID: 41902728

Author Closing Comment

ID: 41908429
Thank you so much for your help!

Featured Post

Master Your Team's Linux and Cloud Stack

Come see why top tech companies like Mailchimp and Media Temple use Linux Academy to build their employee training programs.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This article explains how to prepare an HTML email signature template file containing dynamic placeholders for users' Azure AD data. Furthermore, it explains how to use this file to remotely set up a department-wide email signature policy in Office …
The following article is intended as a guide to using PowerShell as a more versatile and reliable form of application detection in SCCM.
Learn the basics of lists in Python. Lists, as their name suggests, are a means for ordering and storing values. : Lists are declared using brackets; for example: t = [1, 2, 3]: Lists may contain a mix of data types; for example: t = ['string', 1, T…
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question