Jump to content


Photo

Installed, but cannot load anything (alservice error + domain controller)


  • Please log in to reply
3 replies to this topic

#1 4EverMaAT

4EverMaAT

    Newbie

  • Members
  • Pip
  • 3 posts

Posted 08 March 2019 - 01:58 PM

VPS:  Windows 2008 R2 SP1 x64 bit. Intel 3.x Ghz quad-core processor, 4GB ram, unshared.

 

1) I installed the Netwrix Account Lockout Examiner on my VPS to diagnose lockout problem with one of my accounts. I am getting this error message:

This request operation sent to net. pipe ://localhost/ALService/Settings did not receive a reply within the configured timeout (00:02:00). The time allotted to this operation may have been a portioj^f a longer timeout. This may be because the service is still processing the operation or because the service was unable to send a reply message. Please consider increasing the operation timeout (by casting the channel/proxy to IContextChannel and setting the OperationTimeout property) and ensure that the service is able to connect to the client.

then when I press OK, the ALE Console just closes out.   So I must open it again and try again.  I did this about 5 times.   Then finally I still got some progress here

 

Attached File  ALE finally connects but nothing useful.png   41.38KB   0 downloads

 

 

but still no useful info.  no historical info on locked out accounts is available.

 

 

2) I'm not sure which name is correct for the "domain name" or "domain controller" .  i assumed it is the same domain name I use to connect to my VPS.  I am the Administrator of my windows VPS.  I do know that each Windows VPS is optimized to run like a desktop in the cloud so to speak.  So I don't have Active Directory capability (or I have it but it is disabled by default)

 

I only use the VPS as a cloud desktop (always on, fast internet connection, etc).

 

To be honest, ALE has been one of the more difficult pieces of software to install and obtain information with.  And there is not even a verbose log that I can see where the error is coming from (e.g. what can Netwrix Account Lockout Examiner see/read vs what it cannot see/read).

 

------

 

Original problem was that one of my regular user accounts suddenly experienced lockout (I could not login remotely).  Only by disabling the Group Policy related to  This is after using the same vps for several years without any issues.   I don't regularly install new software, but it was recently rebooted and I've been having the lockout problem ever since.   Since the account was disposable, I ended up moving needed files to a new user account, deleting the problem account, and I've had no lockout issues with the new account.

 

We rebooted vps and changed the RDP random port without success.   According to the VPS provider, it is not coming from an external source trying to connect to the VPS.  It is some software or system process on the VPS that is somehow continuously attempting to log into the problem account.  If I disabled the account lockout policy via Group Policy completely, then I could login to the locked out accounts without any issue.

 

Not sure why this process is so difficult to track down,and why us laypersons must go through so much trouble to get some readable info from some related logs.   But I did not build windows OS.  After some google searches, this netwrix program kept coming up.



#2 Kirill K

Kirill K

    Advanced Member

  • Administrators
  • PipPipPip
  • 111 posts
  • Gender:Male

Posted 13 March 2019 - 10:12 AM

Hi there,

 

I think the problem is caused by this:

 

So I don't have Active Directory capability (or I have it but it is disabled by default)

 

 

Account Lockout Examiner(ALE) collects event id #4740 from primary domain controller/all domain controllers depending on configuration settings, then collects event id #4625 from all workstations to figure out the reason of lockout.

 

1. ALE operates with Active Directory.

2. The data processing account of ALE should have sufficient permissions to collect events, particular permissions you may find in the documentation.


Best regards,
Forum Engineer
 


#3 4EverMaAT

4EverMaAT

    Newbie

  • Members
  • Pip
  • 3 posts

Posted Today, 10:14 AM

Hi there,

 

I think the problem is caused by this:

 

 

Account Lockout Examiner(ALE) collects event id #4740 from primary domain controller/all domain controllers depending on configuration settings, then collects event id #4625 from all workstations to figure out the reason of lockout.

 

1. ALE operates with Active Directory.

2. The data processing account of ALE should have sufficient permissions to collect events, particular permissions you may find in the documentation.

 

Hi.  I did not get a notification that someone replied.  I checked back for a couple of days I didn't get an answer.  I assumed no answer was given. I solved the original problem by just using a new user account.   But now the problem is back on the other user account.

 

I'm not 100% sure about the active directory thing.  But I just know that I can use my VPS just like anyone else with administrator access.   Is there a way to check to see if ALE has all the permissions it needs?  ALE does not produce any logs.

 

I tried again today to load ALE (no upgrading of software) and it seems that at least the Administrator shows.

 

by waiting another minute, it seems two out of 3 usernames on the system show up.  But the only useful info is the bad pwd count.  I cannot seem to see who (IP address, etc) is attempting to connect.  There is no "details" or link to additional log details.

 

The 3rd user account (there are a total of 3 user accounts on this system) are not showing up in ALE list.  I don't know why.  And when I press "Add/Find" I get an error "The program cannot open the required dialog box because no locations can be found.  Close this message, and try again"

 

Attached File  netwrix account lockout examiner blurred cannot add new user.png   32.23KB   0 downloads

 

No one else knew about the username as I did not share this with anyone. and Administrator's Bad Pwd count is increasing also.   I only have one computer with these stored credentials and I am able to login to the administrator account without any issues.  The new username's acct worked fine for 3 months and now the problem is back.  the previous username (in the OP) worked for years without any problems.

 

Here is the screenshot.   What does the yellow exclamation mark mean?

Attached File  netwrix account lockout examiner blurred.png   48.04KB   0 downloads



#4 4EverMaAT

4EverMaAT

    Newbie

  • Members
  • Pip
  • 3 posts

Posted Today, 05:17 PM

should the ALEService.exe run as Administrator or as LOCAL SERVICE/SYSTEM?

 

It's currently running as an Administrator and it uses up 1/2 of one of my cores

 

I went into the Services > Netwrix Account Lockout Examiner service properties (ALService) >> Log On >> 

changed the user to Local System (it was an Administrator)

 

Attached File  netwrix ALE change ALService Logon User to Local System account.png   11.46KB   0 downloads

 

Stopped and Started the service again to activate the change.

 

The yellow ! went away :) (see previous post screenshot).  It is now green.

 

Attached File  netwrix ALE yellow exclaimation mark now green.png   35.42KB   0 downloads

 

 

And the processor usage is 0-2% and bursts to 6-14% for a couple of seconds for SYSTEM user

 

Previously, CPU usage was 11-16% constantly when ALService.exe was run as Administrator user.

 

Note:  ALTool.exe still runs as Administrator.  I assume this is not important, and it uses almost no CPU.

 

 

 

----

 

PS:  why do I only have less than 0.5MB of upload space (attachments)?   One large image could wipe that out.






0 user(s) are reading this topic

0 members, guests, anonymous users