The following is how to troubleshoot when a remote machine share is not able to be searched when searching via Scheduled Task run as the Local System Account.
From within a Client configure the search of the Share to confirm the setting used are correct.
Use those same settings and credentials to configure the search in a Policy on the Console.
If the search is not able to be authenticate to the remote location then perform the following on the endpoint machine.
1. Open an administrative command prompt.
2. Download the PSTools from Microsoft at this link: https://docs.microsoft.com/en-us/sysinternals/downloads/psexec
3. Extract the PsExec application from the zip file and save to a folder.
4. In the administrative command window navigate to the location of the extracted PsExec application.
Run the following command:
psexec -i -s cmd.exe
A new command window will launch as the LocalSystem account.
5. To verify that you are the LocalSystem (NT AUTHORITY\SYSTEM) account, run the command:
6. Verify that no other network connections have been made to the share by running the following command:
7. Attempt to connect to the desired share as follows:
net use X: \\sharename /u:domain\username
you will then be prompted for the password
The following error may be reported:
System error 1312 has occurred.
A specified logon session does not exist. It may already have been terminated.
The Client runs system background searches using the LocalSystem (NT AUTHORITY\SYSTEM) account. On the servers selected to use the Spirion Client to search with, the LocalSystem account is unable to connect to the share using the credentials provided. The errors connecting to the share are caused by the OS configuration or credentials provided and have nothing to do with the Client's configuration specifically, since the Spirion Client just uses the available Windows OS to make and manage network connection. Once these OS issues are resolved the Spirion Client should be able to perform background searches of the share provided the account used for the connection has permissions.
To work around this behavior, follow these steps:
- On the endpoint machine, click Start, click Run, type gpedit.msc, and then click OK.
- Under Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then expand Security Options.
- In the Policy pane, right-click Network access: Do not allow storage of credentials or .NET Passports for network authentication, click Properties, click Disabled, and then click OK. The corresponding registry name and location is:
Location: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\ Name: DisableDomainCreds Value: 1 (DWORD)