Known Issue: You cannot push the Altiris Agent to a Windows 7, 8 or Vista machine using a user-defined local admin account if UAC is turned on

Article:TECH46509  |  Created: 2009-11-04  |  Updated: 2013-06-05  |  Article URL http://www.symantec.com/docs/TECH46509
NOTE: If you are experiencing this particular known issue, we recommend that you Subscribe to receive email notification each time this article is updated. Subscribers will be the first to learn about any releases, status changes, workarounds or decisions made.
Article Type
Technical Solution


Issue



You cannot push the Altiris Agent to a Windows 7 or Vista machine using a user-defined local admin account if UAC is turned on.

Note: This also apply to Windows 8.

This issue does not arise if you push the Altiris Agent using the default (built-in) Notification Server local administrator account or domain administrator account (that is, the Notification Server application credentials).

This issue does not arise on computers that have UAC disabled.


Environment



Symantec Management Platform 7.0 or 7.1, pushing the Altiris Agent to Windows 7, 8 and Vista clients


Cause



The Altiris Agent Push Install process attempts to access an administrative share on the target computer. If User Account Control (UAC) is enabled on the Windows 7, 8 or Vista computer using a user-defined local administrator account, then access to the administrative share will fail, causing the push install to also fail. This is because the user account has no elevation potential on the target computer and cannot perform administrative tasks.

For more information on User Account Control, refer to the following Microsoft documentation:

http://msdn.microsoft.com/en-us/library/bb756993.aspx

This document contains the following information about Local User Accounts:

When a user with an administrator account in a Windows Vista computer's local Security Accounts Manager (SAM) database remotely connects to a Windows Vista computer, the user has no elevation potential on the remote computer and cannot perform administrative tasks. If the user wants to administer the workstation with a SAM account, the user must interactively logon to the computer that he or she wishes to administer.


Solution



You can work around this issue by adding a UAC flag to the registry to enable users with administrative credentials to access the administrative shares remotely.

To do this:

 

  1. Click Start > Run.
  2. In the Run dialog box, type regedit and then click OK.
  3. In the Registry Editor, in the left pane, select the following folder: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system
  4. In the right pane, right-click and then click New > DWORD Value.
  5. Type LocalAccountTokenFilterPolicy and then click outside the editable area.
  6. Double-click the new item you have just created.
  7. In the Edit DWORD Value dialog box, in the Value data box, type 1.
  8. Click OK.
  9. Close the Registry Editor.
  10. Restart the computer to make the changes take effect.

 



Legacy ID



49973


Article URL http://www.symantec.com/docs/TECH46509


Terms of use for this information are found in Legal Notices