This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Community FAQ
Register | Log In
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Lansweeper Community
- Forums
- Archive
- Unable to Scan - AD/VPN complications?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Register to ask a question, start a topic or share an idea
Join the Community
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎08-14-2008 06:29 AM
Firstly, what a fantastic application. This will change the way we operate immensely. We gladly upgraded to premium subscription and desperately hope that we can get a few of our last problems resolved.
We have just installed Lansweeper on an AD Global Domain controller and are wanted to scan workstations and servers across 6 sites (ie 6 child domains) via VPN and spent much of yesterday sorting and working things out.
The story so far...
1. Workstations and servers that are members of the SAME AD Domain as the server on which Lansweeper is installed (we'll call this domain FRED.bedrock.local) - they all scan fine.
2. We have added the account LANS that is used by the Lansweeper service to the Enterprise Admins group on the GDC
3. Lansweeper SUCCESSFULLY connects to, and scans, a domain controller on another domain (let's call it BARNEY.bedrock.local)
4. Lansweeper (on the FRED domain) CANNOT connect to and scan workstations on the BARNEY domain.
5. We took a laptop (running Vista Business) that WAS a member of a BARNEY (which wouldn't scan) and then added it to the FRED domain (and it WOULD scan perfectly)
6. We have enabled the Remote Registry Service on Vista.
7. All firewalls are off, we've disabled Antivirus too momentarily as well. We are testing on two workstations presently, one running Vista and one running XP.
8. No traffic restrictions on the VPN links.
We are getting the following results from connection Tester for both:
Ping OK
Remote Registry FAILED
WMI FAILED
Connection to the admin share on the C drive of the remote machine FAILED
In the errors tab, we get :
Requested Registry access is not allowed.
It looks to me like an authentication problem,( but 3. above seems to throw a spanner in the works for that theory) but having tried all of the above, we seem to be getting nowhere. Help!?
MANY thanks in advance,
John
We have just installed Lansweeper on an AD Global Domain controller and are wanted to scan workstations and servers across 6 sites (ie 6 child domains) via VPN and spent much of yesterday sorting and working things out.
The story so far...
1. Workstations and servers that are members of the SAME AD Domain as the server on which Lansweeper is installed (we'll call this domain FRED.bedrock.local) - they all scan fine.
2. We have added the account LANS that is used by the Lansweeper service to the Enterprise Admins group on the GDC
3. Lansweeper SUCCESSFULLY connects to, and scans, a domain controller on another domain (let's call it BARNEY.bedrock.local)
4. Lansweeper (on the FRED domain) CANNOT connect to and scan workstations on the BARNEY domain.
5. We took a laptop (running Vista Business) that WAS a member of a BARNEY (which wouldn't scan) and then added it to the FRED domain (and it WOULD scan perfectly)
6. We have enabled the Remote Registry Service on Vista.
7. All firewalls are off, we've disabled Antivirus too momentarily as well. We are testing on two workstations presently, one running Vista and one running XP.
8. No traffic restrictions on the VPN links.
We are getting the following results from connection Tester for both:
Ping OK
Remote Registry FAILED
WMI FAILED
Connection to the admin share on the C drive of the remote machine FAILED
In the errors tab, we get :
Requested Registry access is not allowed.
It looks to me like an authentication problem,( but 3. above seems to throw a spanner in the works for that theory) but having tried all of the above, we seem to be getting nowhere. Help!?
MANY thanks in advance,
John
Labels:
- Labels:
-
Archive
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎08-26-2008 05:20 PM
OK. The latest. The problem WAS to do with the lansweeper service account not having admin rights on the local machine, but using the Restricted Groups GPO method caused no end of trouble performing unrelated tasks on the workstations locally. it seemed to mess everything up.
So, what I have been doing now is adding the account that the lansweeper service account runs as (lanswpr on the FRED domain) manually using :
net localgroup administrators FRED\lanswpr /add
..on each machine. This is all well and good, but I need to do this on lots of machines, across several domains. I can't add this to a logon script since it needs to be executed with admin rights. What I'm after is the VBS equiv of this so that I can get it to run as a STARTUP script and attached that to a machine GPO - any VBS wizards out there can offer a simple VBS script to do this, please? Needs clear instructions on what bits I need to change (VBS newbie here).
Many thanks!
So, what I have been doing now is adding the account that the lansweeper service account runs as (lanswpr on the FRED domain) manually using :
net localgroup administrators FRED\lanswpr /add
..on each machine. This is all well and good, but I need to do this on lots of machines, across several domains. I can't add this to a logon script since it needs to be executed with admin rights. What I'm after is the VBS equiv of this so that I can get it to run as a STARTUP script and attached that to a machine GPO - any VBS wizards out there can offer a simple VBS script to do this, please? Needs clear instructions on what bits I need to change (VBS newbie here).
Many thanks!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎08-15-2008 05:46 AM
Make sure that FRED\lansweeperadmins is a universal group (I suppose FRED is a domain name)
On the computers try a "gpupdate /force" to make sure that the policies are applied.
You can also check the applied policies with "gpresult"
On the computers try a "gpupdate /force" to make sure that the policies are applied.
You can also check the applied policies with "gpresult"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎08-15-2008 03:33 AM
Set this up using the Restricted Groups GPO option, rebooted the laptops and and confirmed on the local machine that FRED\lansweeperadmins IS part of the BUILTIN\Administrators on the laptops on the BARNEY domain. Seems we have made some slight progress as even though we still get:
Ping OK
Remote Registry FAILED
WMI FAILED
Connection to the admin share on the C drive of the remote machine FAILED
The error in the errors tab has changed. We no longer get Requested Registry Access is not allowed, now we get the following on both XP and Vista machines:
Wmierror Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)) <MACHINENAME> (192.168.*.*)
Something's obviously still not right. The fact that we can't connect to the administrative share on C$ from the Lansweeper server suggests that the account doesn't quite have local admin privileges.
Ping OK
Remote Registry FAILED
WMI FAILED
Connection to the admin share on the C drive of the remote machine FAILED
The error in the errors tab has changed. We no longer get Requested Registry Access is not allowed, now we get the following on both XP and Vista machines:
Wmierror Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)) <MACHINENAME> (192.168.*.*)
Something's obviously still not right. The fact that we can't connect to the administrative share on C$ from the Lansweeper server suggests that the account doesn't quite have local admin privileges.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎08-14-2008 04:08 PM
Excellent. That certainly sounds like the problem and the correct fix. Will post back here if it works. Fingers crossed.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎08-14-2008 01:22 PM
On all pc's in a domain the group "domain admins" is automatically added to the local administrators of this computer.
The problem : This group in active directory can only contain users of this domain (so you cannot add your lansweeper account from another domain) (It's also not possible to change this to a universal group)
How I solved this :
In your top domain, create a new universal group (called lansweeperadmins of something)
Add the lansweeper service account to the group.
Now add this group to the local administrators of your computers.
You can use scripting or a GPO (see this link http://windows.stanford.edu/Public/Infrastructure/localgroup.html)
The problem : This group in active directory can only contain users of this domain (so you cannot add your lansweeper account from another domain) (It's also not possible to change this to a universal group)
How I solved this :
In your top domain, create a new universal group (called lansweeperadmins of something)
Add the lansweeper service account to the group.
Now add this group to the local administrators of your computers.
You can use scripting or a GPO (see this link http://windows.stanford.edu/Public/Infrastructure/localgroup.html)
Archive
This board contains archived posts from the retired Lansweeper Forum and Insiders Community.
New to Lansweeper?
Try Lansweeper For Free
Experience Lansweeper with your own data. Sign up now for a 14-day free trial.
Try Now