Troubleshooting the Direct Network Scan

Windows Direct Network Scan

Summary

The Windows Direct Network Scan feature relies on the hidden administrative share (ADMIN$) that Windows uses to manage the computer environment on the network. Typically, computers that are running Windows automatically create the administrative share during the install of the operating system. Normally, the Direct Network Scan works right out of the box; however, the feature requires a few things to be in place.

This section will explain most common issues and known solutions for them. Some of these issues might have to do computers being audited (for details, see Troubleshooting the Direct Network Scan), other - with the computer hosting the Automation Server.

Remote Computers

The most common issues related to client computers are:

• Administrative shares are disabled
• File and Printer Sharing components are disabled
• Configuration issues preventing access to administrative shares
• Audit account does not exist on client computer
• Error messages

Administrative shares are disabled

Some administrators consider administrative shares a security risk and disable them completely. This is a result of certain vulnerabilities found in early versions of Windows. However, these were mostly issues with the local administrator password being blank, which allowed for unauthorized access to the administrative share.

Since then, Microsoft has restricted file sharing and significantly improved security. Today, with reasonable precautions in place, it is quite safe to have administrative shares enabled. Without them the Direct Network Scan will not work. Moreover, you may experience a variety of other issues unrelated to Network Inventory when administrative shares are unavailable. For details, see Microsoft Knowledge Base article 842715 "Overview of problems that may occur when administrative shares are missing" at https://support.microsoft.com/kb/842715.

File and Printer Sharing components are disabled

You will be unable to remotely audit Windows computers unless the File and Printer Sharing for Microsoft Networks component and the Server service is enabled there.

Make sure that the File and Printer Sharing for Microsoft Networks component is installed and enabled:

1. Select Control Panel from the Start menu.
2. Open the Network Connections folder:
   1. For Windows XP: Click Network Connections.
   2. For Windows Vista or Windows Server 2008:
      1. Start Network and Sharing Center:
         • If you use the Control Panel Home view, under the Network and Internet section, click View network status and tasks.
         • If you use the Classic View, double-click Network and Sharing Center.
      2. In the Tasks pane, click Manage network connections.
   3. For Windows 7, Windows 8, Windows 8.1, Windows 10, Windows Server 2008 R2, Windows Server 2012, or Windows Server 2012 R2:
      1. Start Network and Sharing Center:
         • In Control Panel, when View by is set to Category, click Network and Internet, and then click Network and Sharing Center.
         • In Control Panel, when View by is set to either Large icons or Small icons, click Network and Sharing Center.
      2. In the Tasks pane, click Change adapter settings.
3. Click the network connection associated with the LAN.
4. On the General tab, select Properties and verify that File and Printer Sharing for Microsoft Networks appears on the list of installed items (i.e. the check box next to this component is selected).

The File and Printer Sharing for Microsoft Networks component corresponds to a Windows network service named Server. Configure the Server service as follows:

1. In Control Panel, open System and Security > Administrative Tools, and then double-click Services.
2. Double-click the Server service.
3. Set the startup type to Automatic.
4. Make sure the service status is Started. Otherwise, click Start.

Please note that additional steps are required on computers running Windows Vista and above:

1. For Windows Vista:
   1. Open Network and Sharing Center dialog box (for example, click Start, right-click Network, then select Properties).
   2. In the Sharing and Discovery section, click the down arrow next to File sharing and under File sharing settings, click Turn on file sharing. Click Apply.
   3. Set the Network Location Type to either Private or Domain as follows:
      1. To the right of the network name and location type, click Customize.
      2. In the Set Network Location dialog, click Private or Domain, and then click Next.
      3. In the Successfully set network settings dialog box, click Close.
2. For Windows 7, Windows 8, Windows 8.1, or Windows 10:
   1. Start Network and Sharing Center (for example, in Control Panel, when View by is set to Category, click Network and Internet, then click Network and Sharing Center).
   2. In the Network and Sharing Center left pane, click Change advanced sharing settings. The Advanced sharing settings folder opens.
   3. In Advanced sharing settings, click the arrow next to the network profile that you want to configure (Home orWork).
   4. In File and printer sharing, click Turn on file and printer sharing. Then click Save changes.
   5. Set Network Location Type to Home or Work network profile as follows:
      1. In Network and Sharing Center, under the View your active networks section, click the link below the active network name. For example, if you have a network named Network 1 and there is a link below the network name, click it. The Set Network Location dialog box opens.

         IMPORTANT: If your network is a domain network and you are unable to change the network location, contact your network administrator.

      2. In the Set Network Location dialog box, click Work network or Home network.
      3. Review the summary of your network location, and then click Close.

Configuration issues preventing access to administrative shares

Simple File Sharing

The Simple File Sharing feature is always turned on for Windows XP Home Edition. By default, Simple File Sharing is also turned on for Windows XP Professional when the computer is in a workgroup environment. Starting with Windows Vista, Simple File Sharing is not enabled by default.

When Simple File Sharing is turned on, access to the administrative share is disabled because all remote users authenticate as "Guest", and guest accounts do not have administrative rights. Therefore, you must turn off Simple File Sharing to allow the Direct Network Scan feature to work.

To turn off Simple File Sharing in Windows XP Professional, follow these steps:

1. Double-click My Computer on the desktop or select My Computer from the Start menu.
2. Select Tools > Folder Options.
3. Click the View tab, and then clear the Use Simple File Sharing (Recommended) check box.

   INFO: For details, see Microsoft Knowledge Base article 304040 "Share files in File Explorer" at https://support.microsoft.com/kb/304040.

Windows Firewall

Since the release of Windows XP SP2, the File and Printer Sharing component is blocked by default in Windows Firewall. This causes the "Network path not found" error message when attempting to perform the Direct Network Scan.

In order to allow the Direct Network Scan through Windows Firewall, you must enable the File and Printer Sharing exception in the Windows Firewall configuration. When client computers running Windows XP SP2 or later are part of an Active Directory domain, you can use Group Policy to change the Windows Firewall configuration on multiple computers at once.

IMPORTANT: In certain cases, the File and Printer Sharing exception in Windows Firewall may allow unauthorized access to your files, printers, and network. For details, see Microsoft Knowledge Base article 199346 "Disable File and Printer Sharing for Additional Security” at https://support.microsoft.com/kb/199346.

NOTE: The steps below show how to change the Windows Firewall Group Policy settings for a Windows Server 2008 R2 domain. Steps for Windows Server 2008, Windows Server 2012, and Windows Server 2012 R2 domain are very similar.

INFO: For details on enabling the File and Printer Sharing in a Windows Server 2003 R2 domain (steps for Windows Server 2003 domain are very similar), see the Alloy Software Support Portal, Knowledge Base article KB002165 “Enabling File and Printer Sharing component in Windows 2003 R2 Server based Active Directory domain” at https:/support.alloysoftware.com/?mode=page&aid=KB002165.

To enable the File and Printer Sharing exception in Windows Firewall using Group Policy, follow these steps:

1. Log on to the domain controller.
2. Open the Microsoft Group Policy Management Console (for example, click Start > Run, type gpmc.msc in the text box, then click OK).
3. Determine what group of machines your policy is going to be applied to. The steps below show how to change the group policy for the entire domain.
4. In the Management Console tree, right-click Default Domain Controllers Policy in Domains\[Current Domain], and then click Edit.

   

   The Group Policy Management Editor dialog box opens.

5. Navigate to Computer Configuration > Policies > Administrative Templates: Policy definitions > Network > Network Connections > Windows Firewall. The Windows Firewall area contains two sections: Domain Profile and Standard Profile. Domain computers will automatically determine which profile they should use by the type of network they are connected to:
   • The domain profile is a set of Windows Firewall settings that are needed when the computer is connected to the managed network. For example, the domain profile might contain settings for excepted traffic for the applications and services needed by a managed computer in an enterprise network.
   • The standard profile is a set of Windows Firewall settings that are needed when the computer is connected to another network. A good example is when a laptop is taken on the road and connects to the Internet using a public broadband or wireless Internet service provider. Because the laptop is directly connected to the Internet, the standard profile should contain more restrictive settings than the domain profile.

   

6. Select the appropriate profile. In the right pane, double-click the Windows Firewall: Allow inbound file and printer sharing exception item.

   

   The Windows Firewall: Allow inbound file and printer sharing exception dialog box opens.

7. Click Enabled. Under Options, enter a filter value to tell the group policy which computers are allowed to connect to the machine. Use * to allow all computers to connect.

   

8. Click OK. After about 30 minutes your computers should pick up the new policy.

   INFO: On a client machine, you can immediately refresh Group Policy settings by going to the command line and typing in the following command: GPUPDATE /force

   After the new policy has been applied, you will see the File And Printer Sharing item (it will appear dimmed) in the list of Windows Firewall exceptions on domain computers. To access the list of Windows Firewall exceptions, open Control Panel, open Windows Firewall, and click Allow a program or feature through Windows Firewall.

   

Third-Party Firewall Products

Third-party firewall products may also close the ports used for file and print sharing to prevent Internet computers from accessing your resources. In order to allow the Direct Network Scan through a firewall between the Automation Server and remote computers, open the ports for your local network.

INFO: For details, see Microsoft Knowledge Base article 298804 "Internet firewalls can prevent browsing and file sharing" at https://support.microsoft.com/kb/298804/.

User Account Control (UAC) - Windows Vista and above

User Account Control (UAC) is a security component introduced in the Microsoft Windows Vista operating system. UAC enables users to perform common tasks as non-administrators, called standard users in Windows Vista, and as administrators without having to switch users, log off, or use Run As. Microsoft developed the UAC feature in Windows Vista to prevent silent installation of malware. UAC is enabled by default. Windows 7, Windows 8, Windows 8.1, and Windows 10 have inherited UAC from Windows Vista.

UAC also affects remote connections to computers. When a local user account is used to connect to a machine, the user is identified as a standard user even if the account is in the Administrators group. Since regular users do not have administrative rights, the system refuses access to administrative shares and the Direct Network Scan fails.

The method of solving this issue depends on whether you are connecting to remote computers in a domain or in a workgroup, since this determines whether UAC filtering is enabled.

If your computer is part of a Windows domain network, the audit credentials used by the Direct Network Scan should be for a domain account that is in the local Administrators group on the remote computer because UAC does not affect domain accounts in the local Administrators group. Do not use a local, non-domain account on the remote computer, even if it is in the Administrators group. In a workgroup, you must disable UAC for remote connections (remote UAC) by changing the registry entry that controls remote UAC.

Disable remote UAC as follows:

1. Start Registry Editor: Click Start, type regedit in the Start Search field, and then click regedit.exe in the Programs list.
2. Locate and then click the following registry subkey:
   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System.
3. On the Edit menu, point to New, and then click DWORD Value.
4. Type LocalAccountTokenFilterPolicy for the name of the DWORD, and then press ENTER.
5. Right-click LocalAccountTokenFilterPolicy, and then click Modify.
6. In the Value data field, type 1, and then click OK.
7. Exit Registry Editor.

Both solutions are a security risk. However, the latter may be necessary in a workgroup environment.

Other Issues

This section applies to Windows XP SP2 and higher.

Access to administrative shares and file sharing may also fail for the following reasons:

• Windows will deny access under accounts with a blank password.
• Windows will deny access if there are DNS issues related to the name of the Network Inventory application host machine or the IP address of the client machine. For example, the name of the DNS entry for the Network Inventory application machine must match its computer name, and the IP address of the client machine must be unique within the DNS. If there is an issue with your DNS configuration, audit snapshots for computers with identical names overwrite each other in the Inventory Repository.

Audit account does not exist on client computer

We recommend that you use credentials for a domain administrative account for the Direct Network Scan of Windows computers. If you use a local account (for example, in a non-domain network), must be a member of the local Administrators group.

INFO: For details, see Adding Windows Audit Credentials.

The administrative account must exist on the Automation Server computer and on every client computer you want audited. Otherwise, the Direct Network Scan may fail with the following error messages:

Failed: Error connecting to host (Error 5. Access is denied)

Failed: Error connecting to host (Error 1331. This user can't sign in because this account is currently disabled)

As a workaround, on the client computer, create the account that you use for the Direct Network Scan, and add this account to the local Administrators group.

Error messages

When the operating system denies access to the administrative share due to authentication - or network-related issues, Windows will report a generic error code. Keep in mind that in some cases this error code and the corresponding system error message may not reflect the actual cause of the failure and be misleading.

Troubleshooting Administrative Shares

Microsoft offers a guide for troubleshooting file and printer sharing in Windows which is available for download at Microsoft Download Center.

File Name: FP_Tshoot.doc

Title: Troubleshooting File and Printer Sharing in Microsoft Windows XP

Automation Server

The most common issue and known solution referring to the Automation Server host machine is the following:

• Client for Microsoft Networks component is disabled
• Audit account does not exist on the server computer

Client for Microsoft Networks component is disabled

On computers running Windows XP / Windows Server 2003 or later, you are unable to remotely audit computers when the Client for Microsoft Networks component and Workstation service is not installed and configured.

Make sure that the Client for Microsoft Networks component is installed and enabled as follows:

1. Select Control Panel from the Start menu.
2. Open the Network Connections folder:
   1. For Windows XP: Click Network Connections.
   2. For Windows Vista or Windows Server 2008:
      1. Start Network and Sharing Center:
         • If you use the Control Panel Home view, under the Network and Internet section, click View network status and tasks.
         • If you use Classic View, double-click Network and Sharing Center.
      2. In the Tasks pane, click Manage network connections.
   3. For Windows 7 and above:
      1. Start Network and Sharing Center:
         • In Control Panel, when View by is set to Category, click Network and Internet, and then click Network and Sharing Center.
         • In Control Panel, when View by is set to either Large icons or Small icons, click Network and Sharing Center.
      2. In the Tasks pane, click Change adapter settings.
3. Click the network connection associated with the LAN.
4. On the General tab, select Properties and verify that Client for Microsoft Networks appears on the list of installed items (i.e. the check box next to this component is selected).

The Client for Microsoft Networks component corresponds to Windows network service Workstation. Configure the Workstation service as follows:

1. In Control Panel, open System and Security > Administrative Tools, then double-click Services.
2. Double-click the Workstation service.
3. Set the startup type to Automatic.
4. Make sure that the service status is Started. Otherwise, click Start.

Audit account does not exist on the server computer

We recommend that you use credentials for a domain administrative account for the Direct Network Scan of Windows computers. If you use a local account (for example, in a non-domain network), such account must be a member of the local Administrators group.

INFO: For details, see Adding Windows Audit Credentials.

The administrative account must exist on every client computer you want audited and on the Automation Server computer. Otherwise, the Direct Network Scan may fail with the following error messages:

Failed: Error connecting to host (Error: 1331. Logon failure: account currently disabled)

Failed: Error starting the audit ([...] Error: 1327. Logon failure: user account restriction. Possible reasons are blank passwords not allowed, logon hour restrictions, or a policy restriction has been enforced

As a workaround, on the computer hosting Automation Server, create an account which you will use for the Direct Network Scan, and add this account to the local Administrators group.