Jump to content


Photo

Netwrix Auditor: Failed to obtain system audit status. However user has permission

Auditor

  • Please log in to reply
3 replies to this topic

#1 punkrulz

punkrulz

    Newbie

  • Members
  • Pip
  • 2 posts

Posted 24 May 2018 - 01:05 PM

Hello all,

 

We have been working on switching over to a user account that does not have Domain Administrator permissions on the domain to be able to audit both Active Directory and Group Policy. We have added this user account under the group policy for "Manage auditing and security log Properties". Unfortunately, for each of the domain controllers, we get the following error message:

 

Managed Object: DOMAINNAME

 

The following error has occurred while processing 'DOMAINCONTROLLER.DOMAINNAME.com':

 

Failed to obtain system audit status. Error: Access is denied (Code:5). Error details: Overlapped I/O operation is in progress. This warning can be ignored and/or turned off (using IgnoreAuditStatusCheckError registry setting) if you are sure that auditing is setup correctly.

 

I do believe we are receiving proper auditing, however I am not sure if we are missing anything due to this error message. These errors occur for all 10 of the domain controllers. I've also verified that:

 

1) The group policy where Manage Auditing and security log Properties is set is in fact applied to the OU where the domain controllers are.

2) The group policy is in fact applied to all of the domain controllers, and the user account in question is definitely listed as having this access.

 

Any thoughts?



#2 SergioS

SergioS

    Newbie

  • Members
  • Pip
  • 4 posts

Posted 28 May 2018 - 03:39 PM

The message indicates the account does not have access to check the audit settings. Most likely it does not have permissions to logon locally on domain controllers. Netwrix Account needs to be able to logon to the domain controllers. Please check if this is the case. 



#3 punkrulz

punkrulz

    Newbie

  • Members
  • Pip
  • 2 posts

Posted 13 June 2018 - 02:47 PM

Sergio,

 

Thanks for the reply, and sorry for the late response. I have updated Group Policy to allow the Netwrix Audit Account to logon locally to the domain controllers, but that has had no effect. We will receive the same error messages, even though we appear to be receiving the notifications fine and the content is populated with changes that have been made.

 

Do we know if anything is actually "broken" at this point?



#4 SergioS

SergioS

    Newbie

  • Members
  • Pip
  • 4 posts

Posted 06 July 2018 - 03:06 PM

Apologize for the delay in my response as well. The warning says: "This warning can be ignored and/or turned off (using IgnoreAuditStatusCheckError registry setting) if you are sure that auditing is setup correctly." So if the product reports on the changes made in AD, I don't think you should worry about it.  

 

Best regards,

Sergio






0 user(s) are reading this topic

0 members, guests, anonymous users