Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)) when attempting to discover or add a Windows workload

  • 7009523
  • 19-Jun-2012
  • 01-Aug-2017

Environment

PlateSpin Forge
PlateSpin Migrate
PlateSpin Protect

Source workload uses the Windows Vista Operating System (or later versions)

Situation

When attempting to discover or add a Windows workload the job starts, but quickly fails with the following error:

Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))

Other workloads can be discovered or added without issue.

Resolution

Before going through any of the steps below it is important that the source workload meets the requirements listed in TID 7920291

1. Open a command prompt on the PlateSpin server or Forge Management VM
2. Run the following command:

net use \\nameorip\ipc$ /user:domain\username

Where nameorip is the hostname, FQDN, or IP of the workload being discovered or added.
 
3. If IPC$ access works correctly (i.e. a prompt appears asking for a password), proceed to step 4. Otherwise, ensure that port 135 is open to and from the source either by disabling the firewall on the source, or by adding a firewall rule that allows communication on port 135

4. Run the following command:

net use \\nameorip\admin$ /user:doman\username

5. If ADMIN$ access works, contact support for further assistance. Otherwise, continue to step 6

Note: the following steps will temporarily impact functionality of the source workload

6. On the source workload, open regedit

7. Locate the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\policies\system

8. Create a new DWORD (on 32-bit systems) or DWORD32 (on 64-bit systems) called LocalAccountTokenFilterPolicy with a vlue of 1

9. Open a command prompt

10. Run the following commands:

net stop server
net start server

Attempt to discover or add the workload once the Server service has restarted. If this still fails, contact support for further assistance.

Additional Information

The registry value being added forces UAC to allow access to the default shares.  A value of 1 stops UAC filtering the remote logon token, thus allowing remote access to the IPC$, ADMIN$, etc. shares that are created at install.