I'm getting Access Denied deploying Agents on Windows 10 1709 computers

Document ID : KB000074447
Last Modified Date : 09/07/2018
Show Technical Document Details
Issue:
Using deployment wizard, I get an error "Access is denied." using a domain administrator account.

Activating the DMdeploy process log in Detail (cftrace -c set -f cf -pp dmdeploy -l detail -s 50000 -ln 4) we can see the following activity:

<timestamp>|009316|00003b04|DMDeploy  |DmDeploy        |cdmdeployer.cpp     |005037|INFO   | Trying SHARE transport to send primer package G:\Program Files (x86)\CA\DSM\\Packages\Private\CAUnicenterDSM\dmprimer\Windows_x86 to <target-name>
<timestamp>|009316|00003b04|DMDeploy  |DmDeploy        |cdmdeployer.cpp     |005059|DETAIL | Attempting to open share \\<target-ip-address>\admin$
<timestamp>|009316|00003b04|DMDeploy  |DmDeploy        |cdmdeployer.cpp     |005082|DETAIL | Found user/pass info for <target-ip-address>
<timestamp>|009316|00003b04|DMDeploy  |DmDeploy        |cdmdeployer.cpp     |005125|DETAIL |  szFullTargetUsername = <domain-name>\<domain-admin>
<timestamp>|009316|00003b04|DMDeploy  |DmDeploy        |cdmdeployer.cpp     |005127|DETAIL | Calling WNetAddConnection2W
<timestamp>|009316|00003b04|DMDeploy  |DmDeploy        |cdmdeployer.cpp     |005130|WARNING| Max connection attempts: 2
<timestamp>|009316|00003b04|DMDeploy  |DmDeploy        |cdmdeployer.cpp     |005143|WARNING| Call no. 1 to WNetAddConnection2W failed, return code was: 5
<timestamp>|009316|00003b04|DMDeploy  |DmDeploy        |cdmdeployer.cpp     |005143|WARNING| Call no. 2 to WNetAddConnection2W failed, return code was: 5
<timestamp>|009316|00003b04|DMDeploy  |DmDeploy        |cdmdeployer.cpp     |005143|WARNING| Call no. 3 to WNetAddConnection2W failed, return code was: 5
<timestamp>|009316|00003b04|DMDeploy  |DmDeploy        |cdmdeployer.cpp     |007949|DETAIL | The requested access was denied.
<timestamp>|009316|00003b04|DMDeploy  |DmDeploy        |cdmdeployer.cpp     |005607|DETAIL |  Access to the network resource was denied.

Mapping the admin$ share from windows explorer works fine.

But using "net use" and using the IP address (net use \\<target-ip-address>\admin$ /USER:<domain-name>\<domain-admin>) failed with access denied. However, using hostname succeeded.
Environment:
CA-Client Automation (ITCM) -- any version.
Observed on Windows 10 1709 and newer targets.
Resolution:
Resolution #1
In some cases, you may need to update ITCM configuration policy, and change the following policy to TRUE:
DSM > Manager > Infrastructure Deployment > Use host names

This policy update only needs to be applied to the Domain Manager, but is OK if you set in the Default Computer Policy.  If you make this change in the Default Computer Policy, it may take some time to propagate to the DM's agent, as the underlying configure and state management system will need to touch every agents policy.

If you already have a configuration policy that applies policy changes only to the DM's agent, it is advised to make this change there.  Or create a new configuration policy, e.g. "Domain Manager Policies", update the above policy, and apply only to the DMs agent.

Resolution #2
If UAC is enabled in Windows 10, one possibility is that SAM accounts (Security Account Manager -- e.g. Local Accounts) have no privilege and cannot execute administrator tasks.  To overcome this without disabling UAC functionality, create the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
LocalAccountTokenFilterPolicy (DWORD) with a value of 1.