Jump to content

Access is denied


Recommended Posts

Posted

Hi,

 

I am getting an 'Access is denied' error attempting to logon to all of the computers in my workgroup. Is TNI only supported in a domain environment? If not, how can I diagnose the specifics of the autentication failure? I have tried connecting to both WinXP and Vista computers. I am using 1.5.40 trial version.

 

Thank you,

Steve

Posted

Hi Steve,

TNI works in both workgroup and domain environment. But the point is that you need to have administrator access to remote machines. Make sure that you specify username and password of the user that has administrator rights on those computers (local administrator or domain administrator). If the administrator has blank password, remote access will not be possible also.

But if the computers are not in domain: workstations which are running Windows XP and Vista and not connected to domain don't allow local administrator to authenticate as himself by default. Instead, "ForceGuest" policy is used, which means that all remote connections are mapped to Guest account. But again, administrator rights are required to make the scan. Please consult this document on this matter. You would need to update the policy as described in this document on each computer. It can be easily done by running "secpol.msc" and expanding Local policies - Security options - and locating the policy "Network access: Sharing and security model for local accounts" and changing it from "Guest" to "Classic".

This should be done for both Windows XP and Vista. But for Windows Vista there is one more step that should be taken - it concerns User Account Control (UAC). It restricts administrator rights for remote logons is some cases. You should either disable UAC, or make changes to the parameter in the registry as described in this short document.

 

P.S. I bet this should be added to our FAQ...

Posted
Steve, are you using agentless or deploying the agent? If agentless, it's probably a WMI issue.

Not necessarily. In order to use an agentless (direct WMI) method, you need to have the same rights as when you connect to administrator resources like C$ or ADMIN$ (which is done when deploying agent), that is administrator rights. And Windows XP and Vista have some default restrictions for such connections, which I have described above. These restrictions are removed when you connect a system to a domain, and in workgroup you have to remove them manually.

Posted
doesn't it already have "try other method if one fails" turned on by default? Coz if so, it should already be trying the agent. ?

Yes, and moreover, agent is tried by default in the furst turn. But "Access denied" does not depend on the selected method, because if it's "denied", you'll get this error with both methods.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...