Overview
The missing requirements or incorrectly set up alternative credentials for the Workgroup computer might result in errors like “access denied,” although an account with sufficient permissions was specified. This article provides the steps to address this issue.
Solution
When your environment has workgroup computers it is important to set them up correctly to avoid getting “access denied,” and similar errors during LanGuard scanning and remediation operations. The best way to achieve this is to ensure that all the required settings are in place and to configure alternative credentials for the workgroup computer(s) according to the best practices.
On the Workgroup computer:
- Open the 'Start Menu' > type
CMD
> right-click on Command Prompt and select Run as administrator. - Type the following commands to create GFI Service Account User, ensure to choose a name that does not exist on any other computer, like “
GFIServiceAccount123
”:-
net user GFIServiceAccount123 <yourpasswordhere> /Add
-
net localgroup administrators /add GFIServiceAccount123
-
- Disable UAC:
- Type
Regedit
to open up Registry Editor. - Go to File > Export > Type a name for your backup and hit Save.
- Browse to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
- Create a new DWORD 32bit named LocalAccountTokenFilterPolicy.
- Double click on the newly created registry key and set the value to 1.
- Close the Registry Editor.
- Type
- Type
services.msc
into the Command Prompt and ensure the following services are running and set to automatic:- Windows update
- Server
- Workstation
- Remote Registry
- Remote Procedure Call
- Windows Management Instrumentation
- Microsoft Application Experience (set to manual startup)
- Configure required Firewall ports and permissions:
- Open Control Panel and select Windows Firewall. Click Advanced Settings.
- Open Incoming Rules > Click on New Rule...
- Select Port > Click Next > enter the following ports: 135, 137 - 139, 161, 445
- Select "Allow the connection."
- Select the type of network the computer is assigned to (public or private).
- Assign a name for the rule and click OK to finish.
On the LanGuard server:
- Set the created above GFI Service Account User as alternative credentials for the Workgroup computer (or the Workgroup if you are setting up multiple workgroup computers this way):
- Launch GFI LanGuard console and go to the Dashboard tab.
- Locate the Workgroup computer (or Workgroup) and right-click to select Properties.
- Tick "Authenticate using" and enter the alternative credentials.
- Ensure that the account used by the GFI LanGuard Attendant Service or the logged-in user is unable to authenticate with the first connection attempt on the Workgroup computer. For the explanation refer to the Best Practices for Setting up Account Permissions with Alternative Credentials in LanGuard.
Testing
Run a Manual scan on the Workgroup computer and verify that it completes without issues.