Jump to content


Photo

Logon auditing shown as disabled but it's not true


  • Please log in to reply
8 replies to this topic

#1 smetts

smetts

    Newbie

  • Members
  • Pip
  • 4 posts

Posted 12 April 2017 - 05:29 PM

Hello there,

 

I'm having an issue with Netwrix Account Lockout Examiner Console. I have all the right Group Policy mods in place suggested by the Netwrix admin PDF but I'm still getting the "Logon auditing is disabled, some functionality will be unavailable for this DC. Please turn on auditing of invalid logons in audit policy settings for this DC."

 

I already re-installed the app and I also removed and re-added the DC in there multiple times but I'm still getting the same issue.

 

I also ran a gpupdate /force and tried again. i also removed the old .csv file that contained older settings. I'm not sure what else to do at this point.

 

I'm getting a secondary error when I run a basic examination of a lockout too. While the account is locked out, I'm getting an error in the Examining logon sessions where the result says "Failed due to the following error: This user can't sign in because this account is currently disabled. [Exception from HRESULT: 0x80070533.}

 

That only seems to happen while the account is locked out. The account is NOT disabled.



#2 jeffb

jeffb

    Advanced Member

  • Administrators
  • PipPipPip
  • 375 posts
  • Gender:Male

Posted 14 April 2017 - 01:44 PM

In regards to:

 

"Logon auditing is disabled, some functionality will be unavailable for this DC. Please turn on auditing of invalid logons in audit policy settings for this DC"

 

Log onto the server where Account Lockout Examiner (ALE) is installed and open an elevated command prompt.  Run the following command and paste the output:

 

auditpol /get /category:*

 

In regards to:

 

"Failed due to the following error: This user can't sign in because this account is currently disabled. [Exception from HRESULT: 0x80070533"

 

What is the target workstation OS? Are there any related warnings in the system, security, application logs on this workstations? What user sessions were opened on the target workstation during examination?

 

-Jeff



#3 smetts

smetts

    Newbie

  • Members
  • Pip
  • 4 posts

Posted 17 April 2017 - 01:18 PM

Thanks for the response but it looks like it started working on its own. I have a new question though...

 

Is there a way to figure out what the workstation source is without running different searches on each machine individually? Our problem is that we don't know what machine is causing the lockout.



#4 jeffb

jeffb

    Advanced Member

  • Administrators
  • PipPipPip
  • 375 posts
  • Gender:Male

Posted 17 April 2017 - 01:46 PM

The Workstation is a column in the interface.  If it is blank then you can look on the domain controller for the 4740 event in the Security Event Log which has a workstation or caller computer name field.  However, most likely it is blank as well which means Windows has no idea where it is coming from and may be a non Windows machine perhaps.

 

-Jeff



#5 smetts

smetts

    Newbie

  • Members
  • Pip
  • 4 posts

Posted 17 April 2017 - 02:03 PM

When I put in the account name and click on examine, it requires me to put a machine in. I select our main DC. I went ahead and ran that search. When the search results come up though, all that show up for the results for invalid logons are the DCs (especially repeatedly for the main one). Does this actually indicate that the issue lies with the main DC somehow?



#6 jeffb

jeffb

    Advanced Member

  • Administrators
  • PipPipPip
  • 375 posts
  • Gender:Male

Posted 21 April 2017 - 05:43 PM

The computer you specify for examination would be a target workstation where the failed logon is originating from and not a domain controller.

 

-Jeff



#7 smetts

smetts

    Newbie

  • Members
  • Pip
  • 4 posts

Posted 25 April 2017 - 04:49 PM

We're trying to find out where the original lockout started but we don't know. So we would have to target all the machines for individual inspection then?



#8 jeffb

jeffb

    Advanced Member

  • Administrators
  • PipPipPip
  • 375 posts
  • Gender:Male

Posted 25 April 2017 - 04:53 PM

if there is no Workstation specified in the product console for that lockout then the domain controller doesn't even have that information.  Please see my previous reply in regards to the lockout event on the domain controller and the caller computer field...

 

-Jeff



#9 bryan.phelps

bryan.phelps

    Newbie

  • Members
  • Pip
  • 1 posts

Posted 07 June 2017 - 09:35 PM

I am having the same issue of DC's showing auditing is disabled in Lockout Examiner but if I run RSOP I can see that auditing is enabled via our top level default domain policy as well as the default domain controller policy. Any ideas? 






0 user(s) are reading this topic

0 members, guests, anonymous users