Environment
Domain Migration Administrator 6.3
Domain Migration Administrator 7.x
Situation
Error accessing registry key SYSTEM\CurrentControlSet\Control\Session Manager\Environment rc=5 Access is denied'.
Failed to install agent on \\computer, rc=5 Access is denied.
Failed to launch agent on \\computer, hr=80070005 Access is denied
Access is denied when trying to dispatch an agent to migrate a computer or translate security.
Resolution
There are several different resolutions to this issue depending on which cause applies:
If the account logged on to the DMA console is not a member of the Local Administrators group on the remote workstation:
- Log on to the DMA console with an account that has Local Administrator permissions to the remote workstation.
- Please refer to the following Knowledge Base article regarding NetIQ recommendations for the logged on account credentials:
- NETIQKB1434 - What is the best practice in terms of logon account permissions necessary to successfully migrate computers?:
https://www.netiq.com/kb/esupport/consumer/esupport.asp?id=NETIQKB1434
- NETIQKB1434 - What is the best practice in terms of logon account permissions necessary to successfully migrate computers?:
- Please refer to the following Knowledge Base article regarding NetIQ recommendations for the logged on account credentials:
If the Remote Registry service is not enabled on the remote workstation:
- Using Computer Management on the DMA machine connect to the remote workstation and enable the Remote Registry service.
If both cause 1 and 2 have been verified, then the most likely cause is the permissions to the remote registry have been restricted. On the remote workstation:
- Click Start | Run.
- Type regedt32 into the Open field.
- Add the migration account (or a group that it is a member of) to the permissions on the following key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg - If these permissions already appear correct, add the LOCAL SERVICE group with Read permissions to the permissions of the winreg key.
Cause
This error message appears in the Dispatch.log (\Program Files\NetIQ\DMA\Logs\Dispatch.log) because the account logged on to the DMA console does not have permission to remotely access the registry of the remote workstation. There are several possible reasons for this.
- The account logged on to the DMA console is not a member of the Local Administrators group on the remote workstation.
- The remote registry service is not enabled on the remote workstation.
- Remote registry access has been restricted via registry permissions. Typically, this will happen on Microsoft Windows XP/2003 machines that do not have the Local Service local group listed with at least Read permissions to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg key. This key can be used to restrict and allow certain types of remote registry access.
- For more information,please see the following Microsoft knowledge base article:
- 153183 - How to Restrict Access to the Registry from a Remote Computer
http://support.microsoft.com/default.aspx?scid=kb;en-us;153183
- 153183 - How to Restrict Access to the Registry from a Remote Computer
- For more information,please see the following Microsoft knowledge base article: