Scan Error 5, 451 or 452 When Scanning A Machine Located In A Workgroup

Version 13



    This document will walk you through on configuring your machine so that it can be scanned while it is part of a workgroup and not in a domain.




    Although you have the correct credentials, Protect fails to scan a machine that is not part of a domain. Errors include 451 The specified user account requires administrative rights to the target machine. or 452  Unable to connect to the remote machine or 5: Access is Denied.







    Scanning Machines in a Workgroup

      • If you are not using the built-in Administrator account on the remote machines (and using that account is NOT recommended), you must disable User Account Control (UAC) remote restrictions on the machines. To do this:
        1. Click Start, click Run, type regedit, and then press Enter.
        2. Locate and then click the following registry subkey:  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
    • On the Edit menu, point to New, and then click DWORD Value.
    • Type LocalAccountTokenFilterPolicy and then press Enter.
    • Right-click LocalAccountTokenFilterPolicy and then click OK.
    • In the Value data box, type 1, and then click OK.
    • Exit Registry Editor.

    In some instances, exporting/importing this registry key will not correctly fix the issue. If you imported this key via a .reg file, and you continue getting access denied messages, try deleting the registry value and manually entering it using the steps above.

    For more details on disabling UAC remote restrictions, see



    Additional Information


    Refer to this portion of the Agentless Patch Scanning Prerequisites.


    Affected Versions

    Protect 9.2+