Asset Scan Issues

Asset Scan Issues
















































1. Either access denied for the user or the remote DCOM option might be disabled in the workstation.



CAUSE:

    This error message occurs when a Windows workstation fails while scanning. This is due to any of the following reasons:
    The login name and password provided for scanning might be invalid in the workstation.
    Remote DCOM option might be disabled in the remote workstation.

RESOLUTION:

There are 2 ways this issue could be resolved. You can either choose to execute a script as in section 1, which will take care of configuring DCOM in the workstation. Else, you can follow the steps as in section 2, to manually setup DCOM.

Section 1:  Executing the script in remote workstations will configure the required DCOM and Windows Firewall settings in the remote workstations for scanning using WMI. This script can also be configured as Logon/Startup script in Domain Controller.

Steps for executing the script:

1. Download the script in attachment and save the file as "scan_setup.vbs".

2. Open a command prompt. Move to the folder where the script file is saved and execute the command as shown below

CSCRIPT scan_setup.vbs


Section 2: You can follow the below steps manually to enable DCOM and set it up for scanning.

Step 1:

For Windows workstations "Windows Domain Scan" mode will be more efficient than "Network Scan" mode. Configure the proper login credentials for the Domain/Workgroup. Check if the login credentials are provided in correct format. For login credentials ensure that you haven't entered the DomainName along with the UserName (i,e Do not enter as DomainName\UserName). It is sufficient if only the UserName is entered in the provided text-field.

Step 2:

Ensure that the login information provided are correct and has administrator privileges in the target computers. To check the validity of the login information, you can execute the following commands in the command prompt of the server:

net use \<RemoteComputerName>C$ /u:<DomainNameUserName> "<password>"
net use \<RemoteComputerName>ADMIN$ /u:<DomainNameUserName> "<password>"

Note: Replace the relevant value within <>. Supply password within the quotes.

If the above commands succeed and scanning fails, then the problem might be in the DCOM Configurations.

Step 3:

Ensure Remote DCOM is enabled on the target workstations.

To Enable DCOM in Windows 2000 Computers

    Select Start -> Run
    Type DCOMCNFG in the text field
    Click OK.
    Select Default Properties tab
    Check the box "Enable Distributed COM in this machine"
    Press OK

To enable DCOM in Windows XP Computers

    Select Start -> Run
    Type DCOMCNFG in the text field
    Click OK.
    Right click on Component Services > Computers > My Computer
    Click Properties
    Select Default Properties tab in the frame that pops
    Check the box "Enable Distributed COM in this machine".
    Press OK


Try scanning the workstation after enabling Remote DCOM.

Step 4:

If scanning fails after enabling remote DCOM, give more DCOM permissions and try scanning the workstation.

    Start -> Run -> DCOMCNFG
    Select Default Properties tab
    Check the box "Enable Distributed COM in this machine".
    Set the Default Authentication Level as DEFAULT. NONE also can be set.
    Set the Default Impersonation Level as IMPERSONATE.
    Now select the DEFAULT SECURITY tab.
    Click the Edit Default button under Default Access Permission.
    In the Frame that pops, click the ADD button and add "Everyone" with Allow Access permission.
    Similarly, under the Default Launch Permission add "Everyone" with Allow Launch permission.
    Click OK and now try scanning the workstation.


NOTE: Sometimes DCOM Settings will be effective after restarting the server.

Step 5:

In certain cases, the problem might be due to enabling "Simple File Sharing".  To disable "Simple File Sharing":

    In any of the Windows folders, click "Tools" > "Folder Options".
    In the Folder Options window, goto "View" tab.
    Uncheck "Use simple file sharing"
    Click "OK"  to save changes.

Step 6:

If the target workstations are Windows XP, try modifying the Network Access Security Model.

    Goto Control Panel -> Administrative Tools -> Local Security Policy
    Right click "Network Access : Sharing and security model for local accounts" and then select Properties
    Choose the option "Classic - local users authenticate as themselves" and apply
    Restart and scan the workstation.

Step 7:

If the target machine is running on Windows vista/Windows 7/Windows 2008 and if the target machine is in a workgroup or local user account is used for scanning, the remote user account control (UAC) has to be disabled.

    Select Start -> Run -> type regedit -> click OK.
    In the Registry Editor, navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system
    In the right panel, double click the LocalAccountTokenFilterPolicy. If this does not exist, right click on the right panel and create New DWORD value and double click it to modify the Value data.
    Enter the Value data as 1 to disable Remote UAC.



2. User does not have the access privileges to perform this operation.



CAUSE:

Such error messages are shown, if the user ID provided for scanning does not have sufficient access privileges to perform the scanning operation. Probably, this user does not belong to the Administrator group of the workstation.

RESOLUTION:

Try to scan with an administrator (preferably a Domain Administrator) account.

If you will not be able to use an admin account, you may also provide WMI Admin rights for the user in the target workstation as follows:

    In the target Windows workstation, click Start -> Run -> Type "wmimgmt.msc" and press Enter
    Right click on "WMI Control(LOCAL)" that is shown in the right side frame and select Properties
    In the "WMI Control Properties" window that pops up, click the "Security" tab
    Select the "Root" node , Click the "Security" button
    Add the user (configured for Domain Scan) and allow All Security Permissions. Click OK




3. One of the WMI components is not registered properly.



CAUSE:

This message is shown if WMI is not available in the remote windows workstation. This happens in the Windows 9x, Windows NT and Windows ME. Such error codes might also occur in higher versions of Windows if the WMI Components are not registered properly.

RESOLUTION:

    Install WMI core in the remote workstation. This can be downloaded from the Microsoft web site.
    If the problem is due to WMI Components registration, do register the WMI dlls by executing the following command in a command prompt.

        winmgmt /RegServer




4. Execution failure in the WMI Service of workstation.



CAUSE:

Such error are shown when there are some internal execution failures in the WMI Service running in the remote workstation. Probably the last update of the WMI Repository in that workstation could have failed.

RESOLUTION:

Restart the WMI Service in the remote workstation.  To restart the WMI service in the workstation

    Select Start -> Run
    Type Services.msc
    Click OK.
    In the Services window that pops-up, select "Windows Management Instrumentation" service and right-click on that.
    Click Restart.



5. WMI service is disabled in the workstation.



CAUSE:

This error message is shown when the WMI Service (winmgmt.exe) is not enabled in the remote workstation.

RESOLUTION:

Modify the property of WMI Service as Manual or Automatic from disabled.

    Select Start -> Run
    Type Services.msc
    Click OK.
    In the Services window that pops-up, select "Windows Management Instrumentation" service and right-click on that.
    Click Properties
    If the Startup type is "Disabled", change it to "Automatic/Manual" and start the service.
    Restart the service.



6. Request for scan operation rejected by the workstation.



CAUSE:

DCOM settings in registry of the target workstation reject the scan request.

RESOLUTION:


Edit the registry key value, as described below

    Use Regedit to navigate to : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE
    Double-click the EnableDCOM value Name, a string (REG_SZ) data type. Set its data value to Y, even if it is already SET to Y.
    Click OK.
    Shutdown and restart the computer.



7. Failed to copy files to the remote workstation.



CAUSE:

Either the user does not have permission or file sharing is disabled in the remote workstation.

RESOLUTION:

    Executing the below command in the command prompt of the target workstation will enable file and printer sharing.

        netsh firewall set service FILEANDPRINT

    Right-click C drive of the remote workstation and click properties.
    In the Properties window, click the "Sharing" tab.
    Select the option share this folder and specify the share name as C$. Make sure there is no white space in the share name.
    Select the number of users to allow and click on permission.
    Add the users and give Full Control to the user.
    Note:This permission will be required for installing the agent in the remote workstation for the very first time only.




8. Problem while running the scan script.



CAUSE:

Some unexpected exception occurred while executing the scan script in the workstation.

RESOLUTION:

Open a command prompt and execute the scan script "ae_scan.vbs" as below in the target workstation.

      CSCRIPT ae_scan.vbs -debug >Error_scan.log

This will generate a file "Error_scan.log" in the directory you are running the script. Contact the ServiceDesk support team with the Error log files and the resultant file Error_scan.log. You can obtain the error log files from Support tab by clicking on the Support File link in the ServiceDesk Plus application.



9. Problem while parsing the scanned xml



CAUSE:

The scanned xml document may be empty or the scanned xml having some special characters.

RESOLUTION:

Kindly contact the product support team for further analysis.




10. Configuring Windows Workstations for WMI Scanning -- Has Attachment



Executing the below script in remote workstations will configure the required DCOM and Windows Firewall settings in the remote workstations for scanning using WMI. This script can also be configured as Logon/Startup script in Domain Controller.

Steps for executing the script:

1. Download the script in attachment and save the file as "scan_setup.vbs".

2. Open a command prompt. Move to the folder where the script file is saved and execute the command as shown below

CSCRIPT scan_setup.vbs




11. Cannot scan the disposed and expired asset



CAUSE:

Scanning for the assets in disposed state or expired state is not supported.

RESOLUTION:

To scan these assets, move the assets to another state, other than disposed state and expired state.




12. Credential is not configured



CAUSE:

The device does not have the scan credential. It would be happen if the device never scanned successfully or if the asset added manually or through CSV import.

RESOLUTION:

    Click Assets -> click Troubleshoot.
    In the Unaudited Workstations list view, you can filter the devices with the error message.
    Select the devices and configure the correct scan credentials and do scan.




13. Cannot connect to SNMP Agent.



CAUSE:

The snmp agent in the device is not reachable or the credential used for scanning is wrong.

RESOLUTION:

    Check whether correct credentials are configured in Admin -> Discovery -> Credentials Library.
    If credentials are correct, check the port used for scanning (default port is UDP/161) is blocked in your firewall. If so add exception to connect the agent.




14. Cannot identify model of this device.



CAUSE:

The model of the device could not be identified during the discovery.

RESOLUTION:

    Click Admin -> Discovery -> Scan Settings -> Associate OID to product.
    The device failed during scan will be listed in list view OIDs with unknown type
    Configure the product type and product for the device and do scan.




15. The operation invoked is not supported in the current platform



CAUSE:

The application is running in Linux server and trying to scan windows device in agentless mode.

RESOLUTION:

If the ManageEngine ServiceDesk Plus server is running in linux platform, windows devices can be scanned only through agent. To install the agent refer Admin -> Discovery -> Windows Agent Configuration.



16. Connection to SSH Service in the workstation failed



CAUSE:

The target device is not reachable through the port(s) configured in the credential of the device.

RESOLUTION:

If there is any firewall between the ManageEngine ServiceDesk Plus server and the target device, open the required port(s) configured under Admin -> Discovery -> Credentials Library in the firewall.



17. The scanned Product Type is in hidden state.



CAUSE:

The scanned device was identified under the product type which is in the hidden state. Try to scan the device after moving the corresponding Product Type to the visible state.

RESOLUTION:

To change the product type to visible state navigate to Admin tab --> Product Type --> Click Hidden Product Types. In Hidden Product Type List view, select the respective Product Type and Mark as Visible.



18. Remote Control Credentials are not configured



CAUSE:

This issue occurs if remote control credentials are not configured.

RESOLUTION:

    To configure remote control credential.
    Go to Asset tab >> select the workstation/server >> Remote Control >> Change credential.
    Select a credential or add a new credential.
    Click on Save button and try again.



19. Configured Remote Control credentials are empty.



CAUSE:

This issue happens when you have left the username/password field blank while configuring the credentials.

RESOLUTION:

    Go to Admin >> Credential Library.
    Find the credential you want to edit. Click on the edit icon.
    Update Name and Password in the credential and click on Save Credential.



20. A successful TCP protocol or cipher could not be negotiated with the agent.



CAUSE:

This issue usually occurs if the server failed to negotiate a successful TCP protocol or cipher with the agent of the machine you are trying to scan as there exists no common protocol or cipher for communication between them.

RESOLUTION:

This issue generally occurs if you restrict protocols and ciphers under Admin tab --> Windows Agent Configuration --> Settings and the client machine does not have the required protocols and ciphers for communication(Some protocols and ciphers are not available in lower versions of different OS). Try again without the restricted protocols and ciphers or expand your chosen ones.



21. Auth token validation failed.



CAUSE:

The auth token sent back from the agent doesnot match with the server's Authtoken.

RESOLUTION:

Go to the client registry located under.
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\ZOHO Corp\ManageEngine AssetExplorer\Agent
Check the server details including the server name, server port, and server IP in the client registry.
If the configured server details are incorrect, follow the steps under:Admin >>Windows Agent Configuration >>How to change the configurations in all agents after they are deployed?



22. Client Server authentication failure.



CAUSE:

    The server details configured in the client are incorrect.

    RESOLUTION:

    Go to the client registry located under.
    Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\ZOHO Corp\ManageEngine AssetExplorer\Agent
    Check the server details including the server name, server port, and server IP in the client registry.
    If the configured server details are incorrect, follow the steps under:Admin >>Windows Agent Configuration >>How to change the configurations in all agents after they are deployed?

    Agent is unable to send an authentication request.

    RESOLUTION:

    Check if you could reach the server through the native browsers on the client.For Windows 10 and above versions, the native browser is Edge and for Windows versions below 10 it is InternetExplorer.
    Check the native browser proxy settings on the client machine.




23. Cannot connect to VMware device.



CAUSE:

    The login credentials of the VMware device are incorrect.
    The device scanned is not an ESX/ESXi device.
    The user account provided is locked out.
    Lockdown mode is enabled.

RESOLUTION:

    Provide the right credentials and retry.
    Verify whether the device is ESX host.
    Reset the user account password via DUCI or try again after unlock time if the user account is locked out.
    Disable Lockdown mode.



                  New to ADSelfService Plus?

                    • Related Articles

                    • Agent scan understanding

                      Agent scan in ServiceDesk plus happens in two way 1) Server to target machine  2) Agent from Machine to Server MODE 1:  1) Server to target machine        -This scan happens when you login to ServiceDesk plus \ Asset explorer from your workstation or ...
                    • SDP Scan offerings a glance

                      There are several use cases to be addressed to scan user machines. Here are the solutions available with SDP now. - User machine rarely reaches the organization domain / Network (user login once a week using VPN and other times using local ...
                    • Barcode scanning_Please scan barcodes

                      After scanning your asset barcodes, please press "ENTER" key. This will create a new field "Scanned Barcode(s)" just under the "Scan Your Asset Barcode" Field with the scanned Barcode. After that, You can click on "Add Assets" Button to add the ...
                    • Ports used during asset scan.

                      Kindly refer the link below to know more about ports used during scan. https://www.manageengine.com/products/asset-explorer/help/scanning_it_assets/ports-during-scan.html
                    • Query to show workstations that has a scan status (MSSQL & PGSQL)

                      Tested in build PGSQL (14300) and MSSQL (14306) PGSQL & MSSQL: Below query that will show the Assets that has a scan status. select systeminfo.workstationname "Workstation Name", LONGTODATE(audithistory.audittime) "Last Scanned on", ...