Windows Direct Network ScanSummaryThe Windows Direct Network Scan feature relies on the hidden administrative share (ADMIN$) that Windows uses to manage the computer environment on the network. Typically, computers that are running Windows automatically create the administrative share during the install of the operating system. Normally, the Direct Network Scan works right out of the box; however, the feature requires a few things to be in place. Show
This section will explain most common issues and known solutions for them. Some of these issues might have to do computers being audited (for details, see Troubleshooting the Direct Network Scan), other - with the computer hosting the Automation Server. Remote ComputersThe most common issues related to client computers are:
Administrative shares are disabledSome administrators consider administrative shares a security risk and disable them completely. This is a result of certain vulnerabilities found in early versions of Windows. However, these were mostly issues with the local administrator password being blank, which allowed for unauthorized access to the administrative share. Since then, Microsoft has restricted file sharing and significantly improved security. Today, with reasonable precautions in place, it is quite safe to have administrative shares enabled. Without them the Direct Network Scan will not work. Moreover, you may experience a variety of other issues unrelated to Network Inventory when administrative shares are unavailable. For details, see Microsoft Knowledge Base article 842715 "Overview of problems that may occur when administrative shares are missing" at https://support.microsoft.com/kb/842715. File and Printer Sharing components are disabledYou will be unable to remotely audit Windows computers unless the File and Printer Sharing for Microsoft Networks component and the Server service is enabled there. Make sure that the File and Printer Sharing for Microsoft Networks component is installed and enabled:
The File and Printer Sharing for Microsoft Networks component corresponds to a Windows network service named Server. Configure the Server service as follows:
Please note that additional steps are required on computers running Windows Vista and above:
Configuration issues preventing access to administrative sharesSimple File SharingThe Simple File Sharing feature is always turned on for Windows XP Home Edition. By default, Simple File Sharing is also turned on for Windows XP Professional when the computer is in a workgroup environment. Starting with Windows Vista, Simple File Sharing is not enabled by default. When Simple File Sharing is turned on, access to the administrative share is disabled because all remote users authenticate as "Guest", and guest accounts do not have administrative rights. Therefore, you must turn off Simple File Sharing to allow the Direct Network Scan feature to work. To turn off Simple File Sharing in Windows XP Professional, follow these steps:
Since the release of Windows XP SP2, the File and Printer Sharing component is blocked by default in Windows Firewall. This causes the "Network path not found" error message when attempting to perform the Direct Network Scan. In order to allow the Direct Network Scan through Windows Firewall, you must enable the File and Printer Sharing exception in the Windows Firewall configuration. When client computers running Windows XP SP2 or later are part of an Active Directory domain, you can use Group Policy to change the Windows Firewall configuration on multiple computers at once. IMPORTANT: In certain cases, the File and Printer Sharing exception in Windows Firewall may allow unauthorized access to your files, printers, and network. For details, see Microsoft Knowledge Base article 199346 "Disable File and Printer Sharing for Additional Security” at https://support.microsoft.com/kb/199346. NOTE: The steps below show how to change the Windows Firewall Group Policy settings for a Windows Server 2008 R2 domain. Steps for Windows Server 2008, Windows Server 2012, and Windows Server 2012 R2 domain are very similar. INFO: For details on enabling the File and Printer Sharing in a Windows Server 2003 R2 domain (steps for Windows Server 2003 domain are very similar), see the Alloy Software Support Portal, Knowledge Base article KB002165 “Enabling File and Printer Sharing component in Windows 2003 R2 Server based Active Directory domain” at https:/support.alloysoftware.com/?mode=page&aid=KB002165. To enable the File and Printer Sharing exception in Windows Firewall using Group Policy, follow these steps:
Third-party firewall products may also close the ports used for file and print sharing to prevent Internet computers from accessing your resources. In order to allow the Direct Network Scan through a firewall between the Automation Server and remote computers, open the ports for your local network. INFO: For details, see Microsoft Knowledge Base article 298804 "Internet firewalls can prevent browsing and file sharing" at https://support.microsoft.com/kb/298804/. User Account Control (UAC) - Windows Vista and aboveUser Account Control (UAC) is a security component introduced in the Microsoft Windows Vista operating system. UAC enables users to perform common tasks as non-administrators, called standard users in Windows Vista, and as administrators without having to switch users, log off, or use Run As. Microsoft developed the UAC feature in Windows Vista to prevent silent installation of malware. UAC is enabled by default. Windows 7, Windows 8, Windows 8.1, and Windows 10 have inherited UAC from Windows Vista. UAC also affects remote connections to computers. When a local user account is used to connect to a machine, the user is identified as a standard user even if the account is in the Administrators group. Since regular users do not have administrative rights, the system refuses access to administrative shares and the Direct Network Scan fails. The method of solving this issue depends on whether you are connecting to remote computers in a domain or in a workgroup, since this determines whether UAC filtering is enabled. If your computer is part of a Windows domain network, the audit credentials used by the Direct Network Scan should be for a domain account that is in the local Administrators group on the remote computer because UAC does not affect domain accounts in the local Administrators group. Do not use a local, non-domain account on the remote computer, even if it is in the Administrators group. In a workgroup, you must disable UAC for remote connections (remote UAC) by changing the registry entry that controls remote UAC. Disable remote UAC as follows:
Both solutions are a security risk. However, the latter may be necessary in a workgroup environment. Other IssuesThis section applies to Windows XP SP2 and higher. Access to administrative shares and file sharing may also fail for the following reasons:
Audit account does not exist on client computerWe recommend that you use credentials for a domain administrative account for the Direct Network Scan of Windows computers. If you use a local account (for example, in a non-domain network), must be a member of the local Administrators group. INFO: For details, see Adding Windows Audit Credentials. The administrative account must exist on the Automation Server computer and on every client computer you want audited. Otherwise, the Direct Network Scan may fail with the following error messages: Failed: Error connecting to host (Error 5. Access is denied) Failed: Error connecting to host (Error 1331. This user can't sign in because this account is currently disabled) As a workaround, on the client computer, create the account that you use for the Direct Network Scan, and add this account to the local Administrators group. Error messagesWhen the operating system denies access to the administrative share due to authentication - or network-related issues, Windows will report a generic error code. Keep in mind that in some cases this error code and the corresponding system error message may not reflect the actual cause of the failure and be misleading. Troubleshooting Administrative SharesMicrosoft offers a guide for troubleshooting file and printer sharing in Windows which is available for download at Microsoft Download Center. File Name: Title: Troubleshooting File and Printer Sharing in Microsoft Windows XP Automation ServerThe most common issue and known solution referring to the Automation Server host machine is the following:
Client for Microsoft Networks component is disabledOn computers running Windows XP / Windows Server 2003 or later, you are unable to remotely audit computers when the Client for Microsoft Networks component and Workstation service is not installed and configured. Make sure that the Client for Microsoft Networks component is installed and enabled as follows:
The Client for Microsoft Networks component corresponds to Windows network service Workstation. Configure the Workstation service as follows:
Audit account does not exist on the server computerWe recommend that you use credentials for a domain administrative account for the Direct Network Scan of Windows computers. If you use a local account (for example, in a non-domain network), such account must be a member of the local Administrators group. INFO: For details, see Adding Windows Audit Credentials. The administrative account must exist on every client computer you want audited and on the Automation Server computer. Otherwise, the Direct Network Scan may fail with the following error messages: Failed: Error connecting to host (Error: 1331. Logon failure: account currently disabled) Failed: Error starting the audit ([...] Error: 1327. Logon failure: user account restriction. Possible reasons are blank passwords not allowed, logon hour restrictions, or a policy restriction has been enforced As a workaround, on the computer hosting Automation Server, create an account which you will use for the Direct Network Scan, and add this account to the local Administrators group. What is file and Printer sharing for Microsoft Networks?File and printer sharing in Microsoft® Windows® allows you to share the contents of selected folders and locally attached printers with other computers.
Which protocol is used by the Client for Microsoft Networks and file and printer sharing?The Server Message Block (SMB) Protocol is a network file sharing protocol, and as implemented in Microsoft Windows is known as Microsoft SMB Protocol.
What component of a network connection specifies the rules and format of communication between network devices?A network protocol is an established set of rules that determine how data is transmitted between different devices in the same network. Essentially, it allows connected devices to communicate with each other, regardless of any differences in their internal processes, structure or design.
Which feature of Windows Server 2016 allows you to run command on a virtual machine directly from the host server?PowerShell Direct allows Windows PowerShell management inside a virtual machine regardless of the network configuration or remote management settings on either the Hyper-V host or the virtual machine.
|