Jump to content


Photo

Audit status of "Access is denied" even with all KB 1396 changes in place


  • Please log in to reply
12 replies to this topic

#1 CORbills

CORbills

    Newbie

  • Members
  • Pip
  • 8 posts

Posted 15 May 2018 - 08:53 PM

We are trying to get ALE working with a dedicated service account along "least permissions" model rather than using a user account in Domain Admins. We have checked (and double checked) all changes match with https://www.netwrix.com/kb/1396and in addition have confirmed "Read access to HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Security on the monitored domain controller(s)" per the Quick Start Guide (page 8) is configured for the service account.

 

Connection shows as "OK" but Audit Status shows as "Access is denied."

As a test we changed to an account in Domain Admins group and it worked without this issue. I am certain the changes in https://www.netwrix.com/kb/1396 are in place for the account in question.

 

What else should I look into? DCs are 2012 R2 (only using PDCe at this time) and ALE running on Server 2016 Standard VM.

 

EDIT: In addition, if I add the dedicated service account to Built-In "Administrators" group in AD, which of course adds a lot more permissions on the DCs, it works fully as well. This also suggests the audit settings are correct but for some reason not readable by the dedicated service account created according to the linked KB article. What additional permission needs to be added to allow this to work?



#2 CORbills

CORbills

    Newbie

  • Members
  • Pip
  • 8 posts

Posted 16 May 2018 - 08:07 PM

Reading over some related posts, I saw http://forum.netwrix...?showtopic=2401and wonder if I need to disable UAC somewhere. Note that in my case, with the service account with least privilege granted per Netwrix KB referenced in original post, this never worked, and the need to disable UAC is not discussed.



#3 AndreyK

AndreyK

    Member

  • Members
  • PipPip
  • 15 posts

Posted 18 May 2018 - 02:06 PM

Hello,

 

Are you able to read the Security log on the DCs when connecting from the ALE server via the Event Viewer?

Please open Event Viewer on the server where ALE is installed, right-click the top level, select 'Connect to another computer', specify the DC name then click 'Connect as another user' and specify the account with least privileges.

If you get 'Access denied' then the issue is related to your environment.

Disabling UAC on the ALE server is a good test as well.

 

Also please make sure that Manage auditing and security log policy you configured for the account is not being overwritten by other GPOs.

 

Let us know the results.

AndreyK



#4 Rickh

Rickh

    Newbie

  • Members
  • Pip
  • 2 posts

Posted 18 May 2018 - 02:50 PM

Hi, I have the same problem on Win2012r2 Netwrix server and Win2012R2 DC's.

All the steps have been followed, checked and rechecked.

Netwrix only connects to the PDC but to be sure the WMI and DCOM settings have been set on all DC's.

The DC's have been rebooted.
Connecting with the service account to the DC eventviewer works without a problem.

Security Group settings are not overwritten by GPO.
I have manually given the service account read permissions on the DC regkey HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Security.
UAC is disabled on the Netwrix server via these registry settings, the Netwrix server has also been restarted;
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUE=0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy=1

 

Still the connection is OK but Audit status is Access denied.

What else can be done? Thank you.

 



#5 CORbills

CORbills

    Newbie

  • Members
  • Pip
  • 8 posts

Posted 18 May 2018 - 05:13 PM

Hello,

 

Are you able to read the Security log on the DCs when connecting from the ALE server via the Event Viewer?

Please open Event Viewer on the server where ALE is installed, right-click the top level, select 'Connect to another computer', specify the DC name then click 'Connect as another user' and specify the account with least privileges.

If you get 'Access denied' then the issue is related to your environment.

Disabling UAC on the ALE server is a good test as well.

 

Also please make sure that Manage auditing and security log policy you configured for the account is not being overwritten by other GPOs.

 

Let us know the results.

AndreyK

This works perfectly (opening Event Viewer, connecting to PDCe using configured service account, and viewing Security log) and my process and experience matches exactly those of Rickh who commented in this thread. except that I have not done the UAC disabling.



#6 CORbills

CORbills

    Newbie

  • Members
  • Pip
  • 8 posts

Posted 24 May 2018 - 05:03 PM

Hope for additional follow-up here, especially because someone else has experienced similar issue. Is Netwrix staff monitoring this forum? We are actually a paying Netwrix Auditor customer and really hope we can get help with this issue.



#7 Rickh

Rickh

    Newbie

  • Members
  • Pip
  • 2 posts

Posted 01 June 2018 - 08:57 AM

I have followed multiple guides on configuring remote WMI access for non admins, nothing works.

I have made the user a domain admin and set that as primary group and restarted the Netwrix service, even that did not work.
I then changed HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Netwrix\Account Lockout Examiner\useWMI_audit to 0 and now the status is OK but also the 'Examine' function works which did not before.
So for now that will be my workaround. Does anybody know what does not function when WMI Audit is set to 0?
 



#8 CORbills

CORbills

    Newbie

  • Members
  • Pip
  • 8 posts

Posted 01 June 2018 - 11:21 PM

Any chance of input from a moderator or other Netwrix employee on this?



#9 CORbills

CORbills

    Newbie

  • Members
  • Pip
  • 8 posts

Posted 15 October 2018 - 09:05 PM

Hello,

 

Are you able to read the Security log on the DCs when connecting from the ALE server via the Event Viewer?

Please open Event Viewer on the server where ALE is installed, right-click the top level, select 'Connect to another computer', specify the DC name then click 'Connect as another user' and specify the account with least privileges.

If you get 'Access denied' then the issue is related to your environment.

Disabling UAC on the ALE server is a good test as well.

 

Also please make sure that Manage auditing and security log policy you configured for the account is not being overwritten by other GPOs.

 

Let us know the results.

AndreyK

 

AndreyK, any idea how to get Netwrix Moderators to engage on this topic?



#10 rihuka

rihuka

    Advanced Member

  • Administrators
  • PipPipPip
  • 43 posts
  • Gender:Male

Posted 22 October 2018 - 10:43 AM

Hi there,

 

if you are paying customer please go ahead and submit ticket via customer portal(https://www.netwrix.com/sign_in.html), our support engineers will assist you at once.

 

Would you please confirm whether "Access Denied" is occurred in case if Domain Admins permissions are assigned to service account.


Best regards,
Kirill Kirkov
T2 Support Engineer
 

#11 CORbills

CORbills

    Newbie

  • Members
  • Pip
  • 8 posts

Posted 14 November 2018 - 10:28 PM

Thank you for updating. We are Netwrix Auditor customers - will they provide support on this free tool for us? That would be great. It does work when I use a service account which is a member of Domain Admins, as well as if I add the account to "Administrators" group in the domain, which of course includes "Domain Admins" group in members.

 

Hi there,

 

if you are paying customer please go ahead and submit ticket via customer portal(https://www.netwrix.com/sign_in.html), our support engineers will assist you at once.

 

Would you please confirm whether "Access Denied" is occurred in case if Domain Admins permissions are assigned to service account.



#12 CORbills

CORbills

    Newbie

  • Members
  • Pip
  • 8 posts

Posted 14 November 2018 - 10:33 PM

I've opened ticket 00266427 in reference to this.



#13 rihuka

rihuka

    Advanced Member

  • Administrators
  • PipPipPip
  • 43 posts
  • Gender:Male

Posted 15 November 2018 - 06:59 AM

In this case KB1396 should work, if it does not, you should double check through the all steps of the KB.

 

I have deployed test environment, applied granular permissions according to the KB and finally it works, so I am pretty sure you are missing something.

 

Regarding the license, our technical support engineers will assist you, unless the license has been purchased for Netwrix Auditor only, because Netwrix Auditor and ALE are separated products.

 

Thank you for updating. We are Netwrix Auditor customers - will they provide support on this free tool for us? That would be great. It does work when I use a service account which is a member of Domain Admins, as well as if I add the account to "Administrators" group in the domain, which of course includes "Domain Admins" group in members.

 


Best regards,
Kirill Kirkov
T2 Support Engineer
 




0 user(s) are reading this topic

0 members, guests, anonymous users