Known Issue: You cannot push the Symantec Management Agent to a Windows Vista, 7, 8 or 10 machine using a user-defined local admin account if UAC is turned on
Last Updated August 13, 2015
You cannot push the Symantec Management Agent to a Windows Vista, 7, 8 or 10 machine using a user-defined local admin account if UAC is turned on.
This issue does not arise if you push the Symantec Management Agent using the default (built-in) local administrator account or domain administrator account (that is, the Notification Server application credentials).
This issue does not arise on computers that have UAC disabled.
The Symantec Management Agent Push Install process attempts to access an administrative share on the target computer. If User Account Control (UAC) is enabled on the Windows Vista, 7, 8 or 10 computer using a user-defined local administrator account, then access to the administrative share will fail, causing the push install to also fail. This is because the user account has no elevation potential on the target computer and cannot perform administrative tasks.
For more information on User Account Control, refer to the following Microsoft documentation:
This document contains the following information about Local User Accounts:
When a user with an administrator account in a Windows Vista computer's local Security Accounts Manager (SAM) database remotely connects to a Windows Vista computer, the user has no elevation potential on the remote computer and cannot perform administrative tasks. If the user wants to administer the workstation with a SAM account, the user must interactively logon to the computer that he or she wishes to administer.
You can work around this issue by adding a UAC flag to the registry to enable users with administrative credentials to access the administrative shares remotely.
To do this:
Click Start > Run.
In the Run dialog box, type regedit and then click OK.
In the Registry Editor, in the left pane, select the following folder: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system
In the right pane, right-click and then click New > DWORD Value.
Type LocalAccountTokenFilterPolicy and then click outside the editable area.
Double-click the new item you have just created.
In the Edit DWORD Value dialog box, in the Value data box, type 1.
Close the Registry Editor.
Restart the computer to make the changes take effect.
Symantec Management Platform 7.0 or later, pushing the Symantec Management Agent to Windows Vista, 7, 8 and 10 clients
Imported Document ID: TECH46509
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe