"Deploy Client on computers without agent" task fails on Windows 7 machines

[Aleksandr Nazaryan]

Good day to all,

Is anyone ever faced following issue and can provide with working solution how to solve it ?

Our university has mixed desktop environment consisted of Windows XP SP3, Windows 7 SP1, Windows 8 and Windows 8.1 OS.
All concerned machines are on same AD domain and have dedicated AD account added to each machine local Administrators group via GPO.

Normally we install Avast Endpoint Protection suite manually, from user PC and all goes fine. However some machines were missed during manual installation process and got discovered by Avast Enterprise Administration console as machines without agent.

I created “Deploy Client on computers without agent” task to run it on those machines. Above mentioned AD account is specified in task’s Login Accounts list with proper syntax (domain\username)

All Windows XP SP3, Windows 8 and Windows 8.1 machines successfully received deployment task and got Avast Endpoint Protection suite installed correctly.
However deployment task fails on absolutely all Windows 7 machines. Here is the extract of Remote install log from AEA Console:

02/06/14 15:07:02:   rinstInstall begin
02/06/14 15:07:02:   Init 50 60 C:\Windows\TEMP\asw7656.tmp C:\Program Files\AVAST Software\Enterprise Administration\InstPkgs NULL  0
02/06/14 15:07:02:   Store
02/06/14 15:07:02:   Domains: AUAAD,
02/06/14 15:07:02:   Init AUAAD\VM007-W7
02/06/14 15:07:02:   VM007-W7: GetAccount
02/06/14 15:07:02:   VM007-W7: Queueing
02/06/14 15:07:02:   StartThread
02/06/14 15:07:02:   Loop
02/06/14 15:07:02:   SpawnThreads
02/06/14 15:07:02:   VM007-W7: StartSetup
02/06/14 15:07:02:   VM007-W7: Connecting
02/06/14 15:07:05:   VM007-W7: OpenSCManager error 5 (Access is denied)
02/06/14 15:07:05:   VM007-W7: OpenSCMImpersonated
02/06/14 15:07:05:   VM007-W7: LogonUser svc-MachineAdmin AUAAD error 1385 (Logon failure: the user has not been granted the requested logon type at this computer)
02/06/14 15:07:05:   VM007-W7: LogonUser svc-MachineAdmin AUAAD error 1385 (Logon failure: the user has not been granted the requested logon type at this computer)
02/06/14 15:07:05:   VM007-W7: RemoveOnError
02/06/14 15:07:05:   VM007-W7: CloseConnection
02/06/14 15:07:05:   VM007-W7: Finished with error
02/06/14 15:07:05:   TerminateAll
02/06/14 15:07:05:   rinstInstall end 0

Will very appreciate community help on this
Thank you

[nannunannu]

"access this computer from the network" needs to be granted for that user account.

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment
  Access this computer from the network

[Aleksandr Nazaryan]

nannunannu, thank you ! it really helped.

However I am still confused why only Windows 7 machines require this trick, and XP, 8/8.1 allow remote deployment without touthing of "Access this computer from the network" setting

[nannunannu]

Not really sure, but I noticed that OpenSCMImpersonated was mentioned in the log.  My best guess is that changes to security rights between the different versions of windows alter the behavior of the remote deployment tool.  Again as a guess I'd say that UAC changes introduced with Vista, and carried over (although less intrusive) to 7 have something to do with what you experience (any chance you have a vista machine you can test to prove that it works the same way your windows 7 machines do?).  It would make sense to me that XP behaves differently in that respect.  Not sure why windows 8 also behaves differently since it is still in the windows 6.x family, but we've seen that Microsoft has made some major under the hood tweaks from one minor revision to the next.

[wpn]

Win XP doesnt fail since about anything is an administrator on it and you can do whatever you want remotely....
UAC changed that and you need to have special permissions (as stated in the error) to install on 7

Apparently these permissions have been changed again for 8/8.1 allowing remote install better