Jump to content


Photo

Access is denied


  • Please log in to reply
7 replies to this topic

#1 SpongeWorthy

SpongeWorthy

    Newbie

  • Members
  • Pip
  • 2 posts

Posted 24 January 2008 - 07:34 PM

Hi,

I am getting an 'Access is denied' error attempting to logon to all of the computers in my workgroup. Is TNI only supported in a domain environment? If not, how can I diagnose the specifics of the autentication failure? I have tried connecting to both WinXP and Vista computers. I am using 1.5.40 trial version.

Thank you,
Steve

#2 Zak

Zak

    Administrator

  • Root Admin
  • PipPipPip
  • 747 posts
  • Gender:Male

Posted 25 January 2008 - 03:05 AM

Hi Steve,
TNI works in both workgroup and domain environment. But the point is that you need to have administrator access to remote machines. Make sure that you specify username and password of the user that has administrator rights on those computers (local administrator or domain administrator). If the administrator has blank password, remote access will not be possible also.
But if the computers are not in domain: workstations which are running Windows XP and Vista and not connected to domain don't allow local administrator to authenticate as himself by default. Instead, "ForceGuest" policy is used, which means that all remote connections are mapped to Guest account. But again, administrator rights are required to make the scan. Please consult this document on this matter. You would need to update the policy as described in this document on each computer. It can be easily done by running "secpol.msc" and expanding Local policies - Security options - and locating the policy "Network access: Sharing and security model for local accounts" and changing it from "Guest" to "Classic".
This should be done for both Windows XP and Vista. But for Windows Vista there is one more step that should be taken - it concerns User Account Control (UAC). It restricts administrator rights for remote logons is some cases. You should either disable UAC, or make changes to the parameter in the registry as described in this short document.

P.S. I bet this should be added to our FAQ...
Softinventive Lab support

#3 mmatheny

mmatheny

    Advanced Member

  • Members
  • PipPipPip
  • 76 posts

Posted 25 January 2008 - 07:19 AM

Steve, are you using agentless or deploying the agent? If agentless, it's probably a WMI issue.
Mike

#4 Zak

Zak

    Administrator

  • Root Admin
  • PipPipPip
  • 747 posts
  • Gender:Male

Posted 25 January 2008 - 07:53 AM

Steve, are you using agentless or deploying the agent? If agentless, it's probably a WMI issue.

Not necessarily. In order to use an agentless (direct WMI) method, you need to have the same rights as when you connect to administrator resources like C$ or ADMIN$ (which is done when deploying agent), that is administrator rights. And Windows XP and Vista have some default restrictions for such connections, which I have described above. These restrictions are removed when you connect a system to a domain, and in workgroup you have to remove them manually.
Softinventive Lab support

#5 SpongeWorthy

SpongeWorthy

    Newbie

  • Members
  • Pip
  • 2 posts

Posted 25 January 2008 - 11:04 PM

Thanks for the tips guys,

I'll review the settings and give them a try.

Steve

#6 Benny

Benny

    Advanced Member

  • Members
  • PipPipPip
  • 44 posts

Posted 26 January 2008 - 08:22 PM

doesn't it already have "try other method if one fails" turned on by default? Coz if so, it should already be trying the agent. ?

#7 Zak

Zak

    Administrator

  • Root Admin
  • PipPipPip
  • 747 posts
  • Gender:Male

Posted 28 January 2008 - 03:07 AM

doesn't it already have "try other method if one fails" turned on by default? Coz if so, it should already be trying the agent. ?

Yes, and moreover, agent is tried by default in the furst turn. But "Access denied" does not depend on the selected method, because if it's "denied", you'll get this error with both methods.
Softinventive Lab support

#8 Benny

Benny

    Advanced Member

  • Members
  • PipPipPip
  • 44 posts

Posted 28 January 2008 - 01:03 PM

you're right. I didn't read your previous post close enough. please forgive!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users