Purpose
This document will walk you through on configuring your machine so that it can be scanned using local account credentials.
Symptoms
Although you have the correct local account credentials defined and assigned, scans on your machine fail. Errors include 451 The specified user account requires administrative rights to the target machine, 452 Unable to connect to the remote machine or 5: Access is Denied.
Resolution
If you are not using the built-in Administrator account on the remote machines (and using that account is NOT recommended), you must disable User Account Control (UAC) remote restrictions on the machines with the following steps.
- Run regedit and locate the following registry key:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
- With that key highlighted, click Edit > New > DWORD (32-bit) Value
- Type LocalAccountTokenFilterPolicy and then press Enter to name and create the new value
- Double-click the new LocalAccountTokenFilterPolicy value and change the value to 1 and click OK to save it
In some instances, exporting/importing this registry key will not correctly fix the issue. If you imported this key via a .reg file, and you continue getting access denied messages, try deleting the registry value and manually entering it using the steps above.
For more details on disabling UAC remote restrictions, see http://support.microsoft.com/kb/951016
Additional Information
Refer to this portion of the Agentless Patch Scanning Prerequisites.
Affected Versions
Patch for Windows Servers 9.3.x
Ivanti Security Controls (all)