Last update:
Last verified version: AMC 3.2.1
Overview
This article explains how to repair broken permissions of the ASGARD Agent in Windows. The agent folder has specific permissions in a normal installation. The agent regularly checks for broken permissions and attempts to fix them. If this process fails, you must check and change the permissions manually.
The error manifests itself as follows in C:\Windows\System32\asgard2-agent\log\agent.log:
2023/03/31 12:02:35 ASGARD_THOR: Error: failed to repair permissions: set security info: Access is denied.
The asset appears offline in the Management Center Dashboard.
Prerequisites
-
Agent installed and on Windows.
-
Admin rights on asset
Expected result
The connection is marked as successful in the agent log.
2026/02/17 12:54:29 ASGARD_GENERIC: Info: {"level":"INFO","time":"2026-02-17T12:54:29+01:00","message":"connecting to asgard ...","component":"controller","address":"nextron-amc-testing.goetz:443","proxy":""}
2026/02/17 12:54:29 ASGARD_GENERIC: Info: {"level":"INFO","time":"2026-02-17T12:54:29+01:00","message":"tcp connection to asgard established","component":"controller","address":"nextron-amc-testing.goetz:443","proxy":"","remote_ip":"192.168.94.1","remote_port":443}
2026/02/17 12:54:29 ASGARD_GENERIC: Info: {"level":"INFO","time":"2026-02-17T12:54:29+01:00","message":"connection with tls secured","component":"controller"}
2026/02/17 12:54:29 ASGARD_GENERIC: Info: {"level":"INFO","time":"2026-02-17T12:54:29+01:00","message":"starting proxy","component":"controller"}
2026/02/17 12:54:31 ASGARD_GENERIC: Info: {"level":"INFO","time":"2026-02-17T12:54:31+01:00","message":"opening control stream","component":"controller"}
The asset appears as successful in the Management Center dashboard.
Steps to reproduce
To do this we wrote a little PowerShell script which can help you with this process. Please test the script before you deploy it in your environment. To do this, you can leave the -WhatIf flag to see what the script would do if the permissions are broken. If you are content with the potential changes, remove the -WhatIf arguments. The script needs administrative permissions.
$asgardAgent = "C:\Windows\System32\asgard2-agent"
$asgardAgentTemp = "C:\Windows\Temp\asgard2-agent"
if (Get-Item -Path $asgardAgent | Get-Acl | where {$_.Access.IsInherited -eq $false}) {
Write-Host "ASGARD Agent folder permission broken. Trying to fix: $asgardAgent"
# Set the new Access Rule to inherit permissions
$newAcl = Get-Acl -Path $asgardAgent
$newAcl.SetAccessRuleProtection($false, $true)
Set-Acl $asgardAgent -AclObject $newAcl -WhatIf
}
if (Get-Item -Path $asgardAgentTemp | Get-Acl | where {$_.Access.IsInherited -eq $false}) {
Write-Host "ASGARD Agent folder permission broken. Trying to fix: $asgardAgentTemp"
# Set the new Access Rule to inherit permissions
$newAcl = Get-Acl -Path $asgardAgentTemp
$newAcl.SetAccessRuleProtection($false, $true)
Set-Acl $asgardAgentTemp -AclObject $newAcl -WhatIf
}
get-childitem -path $asgardAgent -Recurse -Depth 1 | Get-Acl | where {$_.Access.IsInherited -eq $false} | % {
$fullPath = Convert-Path $_.Path
Write-Host "ASGARD Agent folder permission broken. Trying to fix: $fullPath"
# Set the new Access Rule to inherit permissions
$newAcl = Get-Acl -Path $_.Path
$newAcl.SetAccessRuleProtection($false, $true)
Set-Acl $_.Path -AclObject $newAcl -WhatIf
}
Related Content
- Fixing Time Zone Issues in ASGARD Management Center for Scheduled THOR Scans
- Repairing Broken Permissions of ASGARD Agent in Windows
- Fixing FQDN Issues for ASGARD Installation and Connectivity
- Avoiding Multiple Asset Requests in Restricted Endpoint Configurations
- Troubleshooting Cluster Health Check Issues After Updating Elastic Search Cluster Member