One of the most common and frustrating issues CyberArk PAM administrators face is the dreaded “Access Denied” error when trying to launch a session through Privileged Session Manager (PSM). Whether you’re setting up a new platform or managing daily operations, this issue can stall progress and lead to hours of unnecessary troubleshooting.

In this post, we’ll explore why this happens, how to troubleshoot it, and what you can do to fix it quickly.

What is PSM, and Why Does It Matter?

Privileged Session Manager (PSM) is a CyberArk component that allows secure session initiation and monitoring to critical systems—without disclosing credentials to end users. It records sessions, enforces policies, and brokers secure connections to Windows, Linux, databases, and more.

But when something is off—permissions, policy, platform settings—you might see:

“Access Denied”

…with no further details. Let’s fix that.

❗ Common Root Causes

Here are the top reasons you may encounter an “Access Denied” error during PSM session initiation:

Cause Description
🔐 Missing PSMConnect permissions PSMConnect user not in “Remote Desktop Users” on target machine.
🧱 GPO blocking login Group Policy may restrict logon rights to RDP or locally.
🛡️ PSM hardening too strict Security settings may prevent launching sessions.
🧩 Incorrect platform configuration INI file may have wrong domain, username, or parameters.
🚫 RDP not enabled The target server doesn’t allow Remote Desktop connections.

🛠️ Step-by-Step Troubleshooting Guide

Follow this checklist to diagnose and resolve the issue:

✅ 1. Check Target Server RDP Permissions

  • Login to the target machine manually.

  • Open Computer Management → Local Users and Groups → Groups

  • Confirm PSMConnect is a member of Remote Desktop Users.

  • If using dual accounts (PSMAdmin), confirm it has local logon rights.

💡 Tip: Run whoami during a successful login test session for confirmation.

✅ 2. Review Group Policy Settings

Launch gpedit.msc on the target or use AD-based GPO.

  • Check: Computer Configuration → Windows Settings → Security Settings → Local Policies → User Rights Assignment

    • Look at:

      • Allow log on through Remote Desktop Services

      • Deny log on through Remote Desktop Services

      • Log on locally and Deny log on locally

Make sure PSMConnect isn’t listed under Deny policies.

✅ 3. Test RDP Manually

From the PSM server, open a standard RDP session:

bash
mstsc /v:

Login using the PSMConnect or PSMAdmin account. This test will validate whether RDP is working at all outside of CyberArk.

✅ 4. Review CyberArk Platform Configuration

In the CyberArk PVWA:

  • Go to Policies → Target Platform → Find your platform

  • Open the INI file (PSM-RDP.ini or custom)

    • Check LogonDomain, Username, RemoteMachine

    • Ensure it matches the AD and target settings

  • Also validate the Connection Component assigned

✅ 5. Analyze Logs

CyberArk logs are a goldmine:

📂 On the PSM Server:

  • C:\Program Files (x86)\CyberArk\PSM\Logs\psmAppLauncher.log

  • psmConsole.log

Look for keywords like:

  • Access is denied

  • Failed to launch session

  • Logon failure

📂 On the target machine:

  • Event Viewer → Windows Logs → Security

  • Filter for failed logon attempts (Event ID: 4625)

🧹 Resolution Steps

Based on your findings, apply the appropriate fix:

Issue Fix
Missing group membership Add PSMConnect to Remote Desktop Users
GPO restrictions Adjust via AD or local Group Policy
INI config incorrect Update platform file in PVWA
RDP not enabled System Properties → Remote → Enable Remote Desktop
Account has logon denied Remove from Deny policies or add to Allow list

🧠 Pro Tips for Prevention

  1. Health Check Script: Create a PowerShell script that verifies RDP access and local group membership before onboarding a new server.

  2. Platform Testing: Maintain a non-production test platform where you validate config changes first.

  3. Audit Logs Frequently: Set up alerts for session failures in SIEM or from Vault logs.

  4. Document Fixes: Keep a logbook or SharePoint page with error/fix mappings for your team.