Error: Failed to deploy the Windows login agent via the ADSelfService Plus portal
Issue description
ADSelfService Plus fails to deploy the login agent to remote Windows machines.
Possible causes
Remote Registry service not running: The Remote Registry service may not be running on the target machine. This must be enabled for remote deployment.
Blocked network ports: Required ports (SMB, NetBIOS, DNS, RPC) may be blocked by firewall rules.
Admin$ share not accessible: The admin$ share must be available and accessible for remote deployment.
Incorrect service account permissions: The ADSelfService Plus service may be running under an account that does not belong to the domain admins group.
Firewall or security policies blocking communication: Windows Defender Firewall or network security policies may be preventing remote deployment.
Prerequisites
Ensure you have the following before proceeding with the resolution steps:
- Administrative access to the ADSelfService Plus server and target machines.
- Network connectivity between the ADSelfService Plus server and target machines.
- Required ports are open and accessible.
- Valid credentials for a domain admin account.
Resolution
Step 1: Verify Remote Registry service status on target machines
1. Open Services (services.msc) on the target machine.
2. Locate the Remote Registry service.
3. Ensure it is set to Automatic and is running. If not running, right-click and select Start.
Step 2: Check open ports required for deployment
- ADSelfService Plus uses the following ports to deploy the GINA Agent. Ensure the following ports are open on the server where ADSelfService Plus is installed.
Port | Protocol | Service |
445 | TCP | SMB (File Sharing) |
139 | TCP | NetBIOS (Authentication, Network Logon) |
53 | TCP/UDP | DNS (Name Resolution) |
593 | TCP | RPC over HTTP |
- Run the following command from the ADSelfService Plus server to the target machine:Test-NetConnection <TargetMachine> -Port <PortNumber>
Example: Test-NetConnection 192.168.1.10 -Port 445
Step 3: Validate admin$ share accessibility on target machines from the ADSelfService Plus server
1. Open Run (Win + R) and enter \<TargetMachine>\admin$
2. If prompted, enter administrator credentials for the target machine.
3. If access is denied, open Command Prompt as an administrator and enter net share. If admin$ is missing, enable it with net share admin$ /grant:Administrators,FULL.
Step 4: Verify the ADSelfService Plus service account on the server
Since ADSelfService Plus is responsible for deploying the GINA Agent, the ADSelfService Plus service on the server must run under an account with domain admin privileges. To verify this, follow these steps.
- Open Services (services.msc) on the ADSelfService Plus server.
- Locate the ManageEngine ADSelfService Plus service.
- Right-click and select Properties.
- Under the Log On tab, check the service account. The account should be a domain admin account.
- To verify domain admins group membership:
- Open Active Directory Users and Computers (dsa.msc).
- Navigate to Users or the designated Organizational Unit (OU).
- Find the service account used for ManageEngine ADSelfService Plus.
- Right-click the Account > Properties > Member Of tab.
- Ensure the account is listed under Domain Admins.
- If the service account is incorrect, update it in Services (services.msc) under the Log On tab. If the account is missing from domain admins, add it via Active Directory Users and Computers.
- Restart the ADSelfService Plus service after making changes.
Validation and confirmation
After applying the fixes, deploy the agent and verify whether the user can access the Reset Password/Unlock Account icon from the login screen.
How to reach support
If the issue persists, contact our support team here.New to ADSelfService Plus?
Related Articles
Sequential ADSelfService Plus Windows agent login installation process
This article highlights the process sequence for the ADSelfService Plus Windows login agent installation via the admin portal and the prerequisites to be addressed to successfully complete each step. Additionally, we're also discussing some common ...Updating the ADSelfService Plus Login Agent in Windows
The ADSelfService Plus login agent can be installed on machines running Windows manually, through the ADSelfService Plus admin portal, via GPOs, SCCM, and tools like Endpoint Central. You can update the Windows login agent to its latest version in ...How to reset forgotten Windows passwords from the login screen using ADSelfService Plus
Empowering users with a Windows password reset tool According to recent research, organizations are spending close to one million dollars annually on resolving password-related tickets. This isn’t that surprising, as the Microsoft-approved methods to ...Updating the ADSelfService Plus Login Agent for macOS
The ADSelfService Plus login agent for macOS can be updated from the ADSelfService Plus admin portal, manually through the Terminal on the machine running macOS, or via tools like Endpoint Central. Updating the login agent through the ADSelfService ...Configuring the ADSelfService Plus login agent for machine MFA and password self-service in Linux
Securing data and resources on the corporate network is of paramount importance to organizations. In a world where most corporate attacks originate at an endpoint, ADSelfService Plus offers 20 MFA factors to protect endpoints by allowing access only ...