Access is denied
Posted 24 January 2008 - 07:34 PM
I am getting an 'Access is denied' error attempting to logon to all of the computers in my workgroup. Is TNI only supported in a domain environment? If not, how can I diagnose the specifics of the autentication failure? I have tried connecting to both WinXP and Vista computers. I am using 1.5.40 trial version.
Posted 25 January 2008 - 03:05 AM
TNI works in both workgroup and domain environment. But the point is that you need to have administrator access to remote machines. Make sure that you specify username and password of the user that has administrator rights on those computers (local administrator or domain administrator). If the administrator has blank password, remote access will not be possible also.
But if the computers are not in domain: workstations which are running Windows XP and Vista and not connected to domain don't allow local administrator to authenticate as himself by default. Instead, "ForceGuest" policy is used, which means that all remote connections are mapped to Guest account. But again, administrator rights are required to make the scan. Please consult this document on this matter. You would need to update the policy as described in this document on each computer. It can be easily done by running "secpol.msc" and expanding Local policies - Security options - and locating the policy "Network access: Sharing and security model for local accounts" and changing it from "Guest" to "Classic".
This should be done for both Windows XP and Vista. But for Windows Vista there is one more step that should be taken - it concerns User Account Control (UAC). It restricts administrator rights for remote logons is some cases. You should either disable UAC, or make changes to the parameter in the registry as described in this short document.
P.S. I bet this should be added to our FAQ...
Posted 25 January 2008 - 07:19 AM
Posted 25 January 2008 - 07:53 AM
Not necessarily. In order to use an agentless (direct WMI) method, you need to have the same rights as when you connect to administrator resources like C$ or ADMIN$ (which is done when deploying agent), that is administrator rights. And Windows XP and Vista have some default restrictions for such connections, which I have described above. These restrictions are removed when you connect a system to a domain, and in workgroup you have to remove them manually.
Steve, are you using agentless or deploying the agent? If agentless, it's probably a WMI issue.
Posted 25 January 2008 - 11:04 PM
I'll review the settings and give them a try.
Posted 26 January 2008 - 08:22 PM
Posted 28 January 2008 - 03:07 AM
Yes, and moreover, agent is tried by default in the furst turn. But "Access denied" does not depend on the selected method, because if it's "denied", you'll get this error with both methods.
doesn't it already have "try other method if one fails" turned on by default? Coz if so, it should already be trying the agent. ?
Posted 28 January 2008 - 01:03 PM
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users