SC: If we don't have local admin rights on client computer to which we are trying to push agent, can't we push agent in that case?
IP: Yes, if specified User Account in "Push Install" page doesn't have write access to Admin share, then push install can't be done successfully.
https://knowledge.broadcom.com/external/article/151954/altiris-agent-push-installation-common-p.html
Authentication and Security
The most common problem for an Altiris Agent push is authentication and security. Below are a list of items that can hinder the complete push and installation of the Altiris Agent.
- The user account specified in the Altiris Push utility does not have rights to push to the Admin$.
- The user account specified in the Altiris Push utility does not have rights to install a service (ability to place the Altiris Agent Installer service actively on the computer).
SC: When we say local admin rights , does this mean local admin rights on the Notification server only or on the client machines too on which we are trying to push the agent ?
IP: "Local admin rights" means that Account "This account is on client computer, not on NS server) is local administrator on client Computer and have read/write rights to Admin share.
SC: How does Admin$ share get enabled by just opening the port 445 ?
IP: Push install doesn't enable/disable admin share on client side, therefore admin$ share should be enabled on client computer by person who admins/owns this computer.
How to enable default admin$ share:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System and create or modify a REG_DWORD value LocalAccountTokenFilterPolicy and set its value to 1
SC: If we are trying to install/uninstall agents on client machines, should port 445 be opened every time, I mean if we are not finished with installing agents on all client machines, then In that case port 445 needs to be opened if we are installing agent and discovering the computer in bits and pieces ?
IP: According to protocols list, 445 port should be opened if you are performing SMA push installations from NS to discovered client computers.
https://knowledge.broadcom.com/external/article/184952/ports-and-protocols-for-symantec-it-mana.html
Best regards,
IP.
------------------------------
[JobTitle]
[CompanyName]
[State]
------------------------------
Original Message:
Sent: Oct 14, 2022 05:28 AM
From: Shiv Choudhary
Subject: Failed to logon using the Admin account Access to the network resource was denied , getting this error . What rights do we use while using an account as seen an article which says use an account with the proper rights in that domain
Hi Igor ,
A very Good morning to you too!!
If we don't have local admin rights on client computer to which we are trying to push agent, can't we push agent in that case?
As our admin account is getting locked again and again, we are forced to remove the domain admin rights from our admin account by our Security team and now once the domain admin privileges are removed from our admin account, the above problem started to occur, means neither we are able to push agent to client machines nor able to uninstall the agent from the client machines , from where the multiple incident of account lockout request is coming .
When we say local admin rights , does this mean local admin rights on the Notification server only or on the client machines too on which we are trying to push the agent ?
- Write access to the machines ADMIN$ (This is one of the prerequisite for N.S to push agent to client , right ? )
- How does Admin$ share get enabled by just opening the port 445 ?
- If we are trying to install/uninstall agents on client machines, should port 445 be opened every time, I mean if we are not finished with installing agents on all client machines, then In that case port 445 needs to be opened if we are installing agent and discovering the computer in bits and pieces ?
------------------------------
Shiv Choudhary
India
Original Message:
Sent: Oct 14, 2022 03:31 AM
From: Igor Perevozchikov
Subject: Failed to logon using the Admin account Access to the network resource was denied , getting this error . What rights do we use while using an account as seen an article which says use an account with the proper rights in that domain
Good Morning Shiv Choudhary!
Yes, you can also use a local administrator account on these client computers for Symantec Management Agent push install from SMP Console (even if your ITMS and computers are in Domain and your current NS AppIdentity is a Domain Administrator account)
If client computers have same local account with administrative privileges, you can multi-select them in Push install grid and then click "Install" > go to "Push install settings" tab and specify their local account and password in this way > then try to install
Best regards,
IP.
------------------------------
[JobTitle]
[CompanyName]
[State]
Original Message:
Sent: Oct 14, 2022 03:06 AM
From: Shiv Choudhary
Subject: Failed to logon using the Admin account Access to the network resource was denied , getting this error . What rights do we use while using an account as seen an article which says use an account with the proper rights in that domain
Failed to log on using the administrator account. What rights do we use when using an account as I have seen in an article that says use an account with appropriate rights in that domain.
What does proper rights or appropriate rights mean ? Does it mean that account have domain admin rights in that domain or local admin rights will also work , kindly confirm .
------------------------------
Shiv Choudhary
India
------------------------------