by Hui-Jen (Jen) Shiau, Practice Associate & Technical Consultant at Taos
Every once in a while, I will get messages of access denied when I am trying to do a remote deployment of a tool or client to another windows machine. We will often cry immediately, “it’s the network and the firewall!” This will then lead to an email flame war between the windows and network teams. Both sides, will claim that it is the other side’s fault and that it is not their systems at fault. You will go over the route tables and the firewall to see if there is anything blocking traffic. Then you go onto the routers to check their acls and you still don’t find the culprit.
Well, with Windows 2008, the culprit is often windows itself. There are three areas where windows will cause you to have an access denied when you are trying to deploy a system remotely to another computer. The first cause is that the user account you are using is not a member of the local Administrators group of the target computer. The second cause is the local windows firewall. Typically, the built in windows firewall has three zones. They are Domain Networks, Home or Work (Private) Networks, and Public Networks. Many will argue to have them up, but I am of the school of thought of turning them off as you will already have enterprise firewalls that put the Microsoft built in firewall to shame. People will counter and say that you can just add a firewall rule to the local firewall. This maybe okay when you are at home or at a local Mom and Pop store with two machines. However, when you are in an enterprise, managing the firewall rules for 3000 plus servers can be a daunting task and should be consolidated to the corporate firewall. Quite often, the built in firewall is what is blocking traffic. The last potential culprit is User Acceptance control. If you are trying to install a component like anti-virus or a remote agent on a target machine, UAC will supply a prompt on the target machine whether you should install or not. As is often the case, most programs don’t have an command line tag for you to disable UAC. You will need to temporarily need to disable UAC via gpo during the mass install and re-enable it after the install is complete.
Thus, as you can see, it is not always the fault of the network and firewall teams. However, still feel free to blame them for everything that goes wrong and quietly fix the problem on your side so they don’t know it is actually the fault fo the windows team. 🙂