Access Denied

Problem

You can see the error message 'Access Denied' on the screen when you try to do either of the following:

  • Install an agent/Distribution server remotely using the Scope of Management (SoM) feature
  • Complete tasks like scan for patches, inventory or use the remote control feature

Cause

You require administrator credentials to enable a Endpoint Central server to complete remote operations like agent/Distribution server installation, patch scanning, inventory scanning and use features like the remote control feature. You will see the error message, 'Access denied' if the credentials specified in the SoM do not have administrator privileges.

Note: The causes and resolutions explained in this article are based on our experiences in our production and client environments. However, there may still be a few unknown causes which are not covered in this article. If this article does not resolve your issue and if you have an Active Directory-based network, you can automate agent installation using a startup script.

Resolution

To resolve this problem, identify the kind of network setup you have and follow the appropriate resolution, specified for it, below:

For a Workgroup setup

In case of a workgroup set up, the credentials specified should have administrator privileges on all the computers in a particular workgroup. To modify the credentials, if required, follow the steps given below:

  1. Click the Admin tab
  2. In the Global Settings section, click Scope of Management
  3. Click Edit Credentials
  4. Select the required domain
  5. Select Workgroup as the network type
  6. Specify the following:
    • Admin username
    • Password
    • DNS suffix
  7. Click Update Domain Credentials

You have modified the domain credentials.

For client computers which have the operating system Microsoft Windows Vista and later versions, you are required to disable either the User Account Control (UAC) or the remote UAC in all client computers:

Disabling UAC in the client computers

You are required to disable the UAC feature in all client computers. To disable the UAC feature, follow the steps given below:

  1. Click start>Settings>Control Panel>User Accounts
  2. Disable the UAC settings

    For Windows 7 and later vesions / Windows 2008 R2 and later versions.

    1. Click User Account Control Settings
    2. Drag and choose the control level to Never Notify
    3. Click OK

    For Windows Vista and older versions / Windows 2008 and older versions

    1. Click Turn User Account Settings On or Off
    2. Uncheck the Use User Account Control (UAC) to protect your computer checkbox
    3. Click OK
  3. Close the Control Panel window.

This will disable the UAC in the client computer. You need to perform the same steps in all the client computers that has Windows Vista or higher manually.

Disabling Remote User Account Control in the client computers

You are required to disable the Remote UAC feature by changing the registry entry that controls the Remote UAC feature. To disable the Remote UAC feature, follow the steps below:

  1. Click start>Run
  2. Enter regedit
  3. Click OK
  4. Navigate to HKEY_LOCAL_MACHINE \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system
  5. Right-click on the white space and click New>DWORD Value
  6. Enter the name LocalAccountTokenFilterPolicy

    Note: If this key name is available then right-click on the name>Modify and follow the steps given below.

  7. Click Modify
  8. Change the value data to 1
  9. Click OK

You have disabled the Remote UAC feature.

For an Active Directory setup

If you have an Active Directory setup, you must specify credentials that have administrator privileges, for a domain, to avoid seeing this error. The administrator credentials are specfic to an Organizational Unit (OU). You cannot use the administrator credentials of one OU to complete operations on computers that belong to another OU.

For both Workgroup and Active directory setup

The below given steps applies for both work group and active directory set up

  • Check whether the Domain Administrator credentials supplied while defining the Scope of Management is still valid and has not been changed.

Enable DCOM settings in the client computers

  • Enable DCOM settings in all the computers in your network. To enable DCOM settings, follow the steps given below:
    1. Click start>Run
    2. Enter dcomcnfg
    3. Click OK

      The dialog box that appears depends on the Windows operating system that is installed in your computer. If you are using Windows NT/2000, you will see the Distributed COM Configuration Properties dialog box on the screen. If you are using Windows XP, you will see the Component Services dialog box on the screen. To acces the Properties tab, follow the steps given below:

      1. Expand Component Services
      2. Expand Computers
      3. Right-click on My Computer
      4. Click Properties
    4. Click the Default Properties tab
    5. Select Enable Distributed COM on this computer
    6. Select Enable DCOM Internet Services on this computer 
    7. Select an appropriate authentication level
    8. Select an appropriate impersonation level

 You have enabled DCOM settings in the computers in your network.

Applies to: Agent/Distribution server Installation Failure, Endpoint Central Agent/Distribution server Installation, Remote Desktop Sharing, Remote Control

Keywords: Agent/Distribution server Installation, Endpoint Central Agent/Distribution server Installation Failure, Installation Failure, Access Denied, Remote control, Desktop Sharing

 

Other KB articles 24/5 Support

Support will be available 24hrs a day and five days a week (Monday through Friday), excluding USA & India public holidays.

Tel : +1-888-720-9500
Email : desktopcentral-support@manageengine.com

Speak to us

  • Join the Endpoint Central Community, to get instant answers for your queries, register with our Forum.
  • Look out for the latest happenings in Desktop Management, follow our Tweets on Twitter.
  • Get to know the latest updates and Best Practices in Desktop Management through our Blog.