Known Issue: You cannot push the Symantec Management Agent to a Windows Vista, 7, 8 or 10 machine using a user-defined local admin account if UAC is turned on

TECH46509
Last Updated August 13, 2015

You cannot push the Symantec Management Agent to a Windows Vista, 7, 8 or 10 machine using a user-defined local admin account if UAC is turned on.

This issue does not arise if you push the Symantec Management Agent using the default (built-in) local administrator account or domain administrator account (that is, the Notification Server application credentials).

This issue does not arise on computers that have UAC disabled.

The Symantec Management Agent Push Install process attempts to access an administrative share on the target computer. If User Account Control (UAC) is enabled on the Windows Vista, 7, 8 or 10 computer using a user-defined local administrator account, then access to the administrative share will fail, causing the push install to also fail. This is because the user account has no elevation potential on the target computer and cannot perform administrative tasks.

For more information on User Account Control, refer to the following Microsoft documentation:

http://msdn.microsoft.com/en-us/library/bb756993.aspx

This document contains the following information about Local User Accounts:

When a user with an administrator account in a Windows Vista computer's local Security Accounts Manager (SAM) database remotely connects to a Windows Vista computer, the user has no elevation potential on the remote computer and cannot perform administrative tasks. If the user wants to administer the workstation with a SAM account, the user must interactively logon to the computer that he or she wishes to administer.

You can work around this issue by adding a UAC flag to the registry to enable users with administrative credentials to access the administrative shares remotely.

To do this:

 

  1. Click Start > Run.
  2. In the Run dialog box, type regedit and then click OK.
  3. In the Registry Editor, in the left pane, select the following folder: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system
  4. In the right pane, right-click and then click New > DWORD Value.
  5. Type LocalAccountTokenFilterPolicy and then click outside the editable area.
  6. Double-click the new item you have just created.
  7. In the Edit DWORD Value dialog box, in the Value data box, type 1.
  8. Click OK.
  9. Close the Registry Editor.
  10. Restart the computer to make the changes take effect.

 

 

Applies To

Symantec Management Platform 7.0 or later, pushing the Symantec Management Agent to Windows Vista, 7, 8 and 10 clients

Imported Document ID: TECH46509
Legacy ID: 49973

Thanks for your feedback. Let us know if you have additional comments below. (requires login)

    © 1995-2019 Symantec Corporation