You receive an "Access denied" or "The network path was not found" error message when you try to remotely manage a computer that is running Windows XP Service Pack 2 (840634)


The information in this article applies to:

  • Microsoft Windows XP Professional Service Pack 2 (SP2)

SYMPTOMS

When you try to remotely manage a computer that is running Microsoft Windows XP Service Pack 2 (SP2), you may receive an error message that is similar to one of the following error messages:
Computer \\COMPUTERNAME.EXAMPLE.COM cannot be managed. The network path was not found.

Choose 'Connect to another computer' from the Action menu to manage a different computer.
Unable to access the computer ComputerName.
The error was: Access is denied.
Unable to access the computer ComputerName.
The error was: The network path was not found.
Failed to open Group Policy object on ComputerName. You might not have appropriate rights.
Details: The network path was not found.
An object (Computer) with the following name cannot be found: "ComputerName". Check the selected object types and location for accuracy and ensure that you have typed the object name correctly, or remove this object from the selection.
System error 53 has occurred. The network path was not found.

CAUSE

This issue may occur if you try to manage the remote computer by using one of the following Microsoft Management Console (MMC) tools:
  • Certificates
  • Computer Management
  • Device Manager
  • Disk Management
  • Event Viewer
  • Group Policy
  • Indexing Service
  • Internet Protocol Security (Ipsec) Monitor
  • IP Security Policy
  • Local Users and Groups
  • Removable Storage Management
  • Resultant Set of Policy
  • Services
  • Shared Folders
  • WMI Control
Additionally, this issue may occur if you try to manage the remote computer by using the Net.exe tool or if you try to access the remote computer from the following dialog boxes:
  • Select Users, Computers, or Groups
  • Find Users, Contacts, and Groups
  • Net.exe
This issue occurs because the default configuration of the Windows Firewall program in Windows XP SP2 blocks incoming network traffic on Transmission Control Protocol (TCP) port 445. For the administrative tools listed here to connect to a remote computer, that remote computer must permit incoming network traffic on TCP port 445.

RESOLUTION

To resolve this issue, use one of the following methods.

Method 1 and Method 2 describe how to resolve this issue on a per-computer basis. Method 3 describes how to resolve this issue on multiple computers by using Group Policy.

Method 1: Use a the Netsh command-line tool

On the remote Windows XP SP2-based computer, run a netsh command to permit traffic through Windows Firewall on TCP port 445:
  1. Click Start, click Run, type cmd in the Open box, and then click OK.
  2. Type the following command, and then press ENTER:

    netsh firewall set portopening tcp 445 smb enable

    You receive the following message:Ok.
  3. Quit the command prompt.
To implement this change throughout your organization, run this netsh command-line from a batch file or from a script.

Method 2: Use the Graphical User Interface

On the remote Windows XP SP2-based computer, modify Windows Firewall to permit incoming TCP traffic on port 445:
  1. Click Start, and then click Control Panel.
  2. Click Security Center, and then click Windows Firewall.
  3. Click the Exceptions tab, click to select the File and Printer Sharing check box, and then click Edit.
  4. Click to select the TCP 445 check box, click Change scope, and then take one of the following actions:
    • Click My network (subnet) only.
    • Click Custom list, and then type the IP addresses that you want to manage this computer.
  5. Click OK four times.

Method 3: Use Group Policy to set the 'Allow Remote Administration Exception' policy

Note These steps assume that all the computers that you want to manage by using this policy are in the same organizational unit. For additional information about how use Group Policy, visit the following Microsoft Web site:

http://www.microsoft.com/windowsserver2003/technologies/management/grouppolicy/default.mspx

These steps assume that Windows Firewall is configured to use the domain profile. The domain profile is the most typical scenario. For additional information about Windows Firewall profiles and about how Windows selects the profile to load, see the Deploying Windows Firewall Settings for Microsoft Windows XP with Service Pack 2 guide. To obtain this guide, visit the following Microsoft Web site:

http://www.microsoft.com/downloads/details.aspx?FamilyID=4454e0e1-61fa-447a-bdcd-499f73a637d1&DisplayLang=en

To configure Group Policy to permit the remote administration of your computers, follow these steps.
  1. Create a Group Policy object for the organizational unit that contains the Windows XP SP2-based computers that you want to manage:
    1. Log on to a domain controller.
    2. Click Start, click Run, type dsa.msc in the Open box, and then click OK.
    3. Expand your domain, right-click the organizational unit that you want to create the Group Policy in, and then click Properties.
    4. Click the Group Policy tab, and then click New.
    5. Type a name for the Group Policy object, and then press ENTER.
    6. Click Close.
  2. Log on to a domain member computer that is running Windows XP SP2 as a user who is a member of one or more of the following security groups:
    • Domain Admins
    • Enterprise Admins
    • Group Policy Creator Owners
  3. Click Start, click Run, type mmc in the Open box, and then click OK.
  4. On the File menu, click Add/Remove Snap-in.
  5. On the Standalone tab, click Add.
  6. In the Add Standalone Snap-in dialog box, click Group Policy, and then click Add.
  7. In the Select Group Policy Object dialog box, click Browse.
  8. Click the Group Policy object that you want to update with the new Windows Firewall settings. For example, click the organizational unit that contains the Windows XP SP2 computers, click OK, and then click the Group Policy object that you created in step 1.
  9. Click OK, and then click Finish.
  10. Click Close, and then click OK.
  11. Under Console Root, expand the Group Policy object that you selected in step 8, expand Computer Configuration, expand Administrative Templates, expand Network, expand Network Connections, expand Windows Firewall, and then click Domain Profile.
  12. In the right pane, double-click Windows Firewall: Allow remote administration exception.
  13. Click Enabled, and then specify the administrative scope in the Allow unsolicited incoming messages from box. For example, to permit remote administration from a particular IP address, type that IP address in the Allow unsolicited incoming messages from box.

    To permit remote administration from a particular subnet, type that subnet by using the Classless Internet Domain Routing (CIDR) format. In this scenario, type 192.168.1.0/24 to specify the network 192.168.1.0 with a 24-bit subnet mask of 255.255.255.0. For additional information about how to specify a valid administrative scope, see the Syntax area of the Setting tab in this policy.
  14. Click OK, and then click Exit on the File menu.

MORE INFORMATION

The client administrative tools are a set of Microsoft Management Console (MMC) snap-ins that let you administer users, computers, services, and other system components on local and remote computers.
Modification Type:MinorLast Reviewed:7/11/2005
Keywords:kbSecurity kbpermissions kbadmin kbnetwork kbtshoot kberrmsg kbprb KB840634 kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.