Jump to content


Photo

Account Lockout Examiner - Service account denied reading logs on 2 DC's


  • Please log in to reply
9 replies to this topic

#1 Menz

Menz

    Member

  • Members
  • PipPip
  • 10 posts

Posted 06 June 2014 - 03:13 PM

Hello,
I have 10 DC's and on just two of the DC's the service account is "Access Denied" when trying to read the logs asd one DC is reading "Quota Violation". the account i am using is a Domain Admin account and has no issues at all with the other 7 DC's. My domain funtional level is 2003 as 8 of my 10 DC's are 2003 the other two are 2008 R2. the two where access is denied are 2003.

i do not know how to troubleshoot this. the service account i set to collect logs is able to log on to the server locally. since it is a DC there are no local admin groups to add the user account to. there is nothing in the event viewer on the 3 troubled DC's pertaining to this. Netwrix phone support won't help me either even though i have paid for other products from them.

how do i trouble shoot this???

thanks in advance

Mike

#2 Administrator

Administrator

    Administrator

  • Root Admin
  • PipPip
  • 26 posts
  • Gender:Male

Posted 06 June 2014 - 04:34 PM

Hi Menz,
Try to connect to problematic DCs with the Event Viewer using your service account. Also check if the service account has Manage auditing and security log user rights, try to perform steps from the following KB: https://www.netwrix.com/kb/1396

#3 Menz

Menz

    Member

  • Members
  • PipPip
  • 10 posts

Posted 06 June 2014 - 04:42 PM

Hi Menz,
Try to connect to problematic DCs with the Event Viewer using your service account. Also check if the service account has Manage auditing and security log user rights, try to perform steps from the following KB: https://www.netwrix.com/kb/1396


Thank you for the reply. i looked at that article.... it referes to an account that is NOT a domain admin. the account i am using IS a domain admin. Being that it is a domain admin it is already part of the "manage auditing and security logs" group (yes i checked and verified). so.... the steps in the article are not necessary as it is already a domain admin account.

any other ideas for me to try?

#4 Administrator

Administrator

    Administrator

  • Root Admin
  • PipPip
  • 26 posts
  • Gender:Male

Posted 06 June 2014 - 04:45 PM

Thank you for the reply. i looked at that article.... it referes to an account that is NOT a domain admin. the account i am using IS a domain admin. Being that it is a domain admin it is already part of the "manage auditing and security logs" group (yes i checked and verified). so.... the steps in the article are not necessary as it is already a domain admin account.

any other ideas for me to try?


What about connect with Event Viewer? Were you able to connect?

#5 Menz

Menz

    Member

  • Members
  • PipPip
  • 10 posts

Posted 06 June 2014 - 04:51 PM

yes i am able to connect to the event viewer on both problematic DC's using the event viewer from my local machine but using the service account as the user

#6 Menz

Menz

    Member

  • Members
  • PipPip
  • 10 posts

Posted 10 June 2014 - 04:19 PM

any update for me??

#7 Menz

Menz

    Member

  • Members
  • PipPip
  • 10 posts

Posted 01 July 2014 - 07:07 PM

still no update for me..... is this support forum dead???

#8 Administrator

Administrator

    Administrator

  • Root Admin
  • PipPip
  • 26 posts
  • Gender:Male

Posted 13 October 2014 - 05:17 PM

Menz,
  • Open the Registry Editor (navigate to Start --> Run and type regedit).
  • Navigate to HKEY_LOCAL_MACHINE --> SOFTWARE --> NetWrix --> Account Lockout Examiner (Wow6432Node only for x64 OS)
  • Locate the readlog key and set its value to 0.
  • Create a new key called UseWatcher, set its type to DWORD and value to 1.
  • Restart NetWrix Account Lockout Examiner Service via services.msc

Also try to connect to problematic DC namespace root\cimv2 with wbemtest tool.

#9 Menz

Menz

    Member

  • Members
  • PipPip
  • 10 posts

Posted 13 October 2014 - 06:34 PM

well.... thanks for the reply but..... this was over 3 months ago. i have (in the 3 months that i was waiting for an answer) since decommisioned the problematic DC's and removed them from my domain. i have no idea if your above answer will work, just wish i got it 3 months ago so i could tell future users that may have this issue.

#10 mattsim

mattsim

    Newbie

  • Members
  • Pip
  • 1 posts

Posted 19 December 2016 - 10:51 PM

Menz,

  • Open the Registry Editor (navigate to Start --> Run and type regedit).
  • Navigate to HKEY_LOCAL_MACHINE --> SOFTWARE --> NetWrix --> Account Lockout Examiner (Wow6432Node only for x64 OS)
  • Locate the readlog key and set its value to 0.
  • Create a new key called UseWatcher, set its type to DWORD and value to 1.
  • Restart NetWrix Account Lockout Examiner Service via services.msc

Also try to connect to problematic DC namespace root\cimv2 with wbemtest tool.

 

 

The above registry change worked for me. I hope this helps someone else.






0 user(s) are reading this topic

0 members, guests, anonymous users