Jump to content


Photo

Audit status of "Access is denied" even with all KB 1396 changes in place


  • Please log in to reply
8 replies to this topic

#1 CORbills

CORbills

    Newbie

  • Members
  • Pip
  • 6 posts

Posted 15 May 2018 - 08:53 PM

We are trying to get ALE working with a dedicated service account along "least permissions" model rather than using a user account in Domain Admins. We have checked (and double checked) all changes match with https://www.netwrix.com/kb/1396and in addition have confirmed "Read access to HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Security on the monitored domain controller(s)" per the Quick Start Guide (page 8) is configured for the service account.

 

Connection shows as "OK" but Audit Status shows as "Access is denied."

As a test we changed to an account in Domain Admins group and it worked without this issue. I am certain the changes in https://www.netwrix.com/kb/1396 are in place for the account in question.

 

What else should I look into? DCs are 2012 R2 (only using PDCe at this time) and ALE running on Server 2016 Standard VM.

 

EDIT: In addition, if I add the dedicated service account to Built-In "Administrators" group in AD, which of course adds a lot more permissions on the DCs, it works fully as well. This also suggests the audit settings are correct but for some reason not readable by the dedicated service account created according to the linked KB article. What additional permission needs to be added to allow this to work?



#2 CORbills

CORbills

    Newbie

  • Members
  • Pip
  • 6 posts

Posted 16 May 2018 - 08:07 PM

Reading over some related posts, I saw http://forum.netwrix...?showtopic=2401and wonder if I need to disable UAC somewhere. Note that in my case, with the service account with least privilege granted per Netwrix KB referenced in original post, this never worked, and the need to disable UAC is not discussed.



#3 AndreyK

AndreyK

    Member

  • Members
  • PipPip
  • 15 posts

Posted 18 May 2018 - 02:06 PM

Hello,

 

Are you able to read the Security log on the DCs when connecting from the ALE server via the Event Viewer?

Please open Event Viewer on the server where ALE is installed, right-click the top level, select 'Connect to another computer', specify the DC name then click 'Connect as another user' and specify the account with least privileges.

If you get 'Access denied' then the issue is related to your environment.

Disabling UAC on the ALE server is a good test as well.

 

Also please make sure that Manage auditing and security log policy you configured for the account is not being overwritten by other GPOs.

 

Let us know the results.

AndreyK



#4 Rickh

Rickh

    Newbie

  • Members
  • Pip
  • 2 posts

Posted 18 May 2018 - 02:50 PM

Hi, I have the same problem on Win2012r2 Netwrix server and Win2012R2 DC's.

All the steps have been followed, checked and rechecked.

Netwrix only connects to the PDC but to be sure the WMI and DCOM settings have been set on all DC's.

The DC's have been rebooted.
Connecting with the service account to the DC eventviewer works without a problem.

Security Group settings are not overwritten by GPO.
I have manually given the service account read permissions on the DC regkey HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Security.
UAC is disabled on the Netwrix server via these registry settings, the Netwrix server has also been restarted;
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUE=0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy=1

 

Still the connection is OK but Audit status is Access denied.

What else can be done? Thank you.

 



#5 CORbills

CORbills

    Newbie

  • Members
  • Pip
  • 6 posts

Posted 18 May 2018 - 05:13 PM

Hello,

 

Are you able to read the Security log on the DCs when connecting from the ALE server via the Event Viewer?

Please open Event Viewer on the server where ALE is installed, right-click the top level, select 'Connect to another computer', specify the DC name then click 'Connect as another user' and specify the account with least privileges.

If you get 'Access denied' then the issue is related to your environment.

Disabling UAC on the ALE server is a good test as well.

 

Also please make sure that Manage auditing and security log policy you configured for the account is not being overwritten by other GPOs.

 

Let us know the results.

AndreyK

This works perfectly (opening Event Viewer, connecting to PDCe using configured service account, and viewing Security log) and my process and experience matches exactly those of Rickh who commented in this thread. except that I have not done the UAC disabling.



#6 CORbills

CORbills

    Newbie

  • Members
  • Pip
  • 6 posts

Posted 24 May 2018 - 05:03 PM

Hope for additional follow-up here, especially because someone else has experienced similar issue. Is Netwrix staff monitoring this forum? We are actually a paying Netwrix Auditor customer and really hope we can get help with this issue.



#7 Rickh

Rickh

    Newbie

  • Members
  • Pip
  • 2 posts

Posted 01 June 2018 - 08:57 AM

I have followed multiple guides on configuring remote WMI access for non admins, nothing works.

I have made the user a domain admin and set that as primary group and restarted the Netwrix service, even that did not work.
I then changed HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Netwrix\Account Lockout Examiner\useWMI_audit to 0 and now the status is OK but also the 'Examine' function works which did not before.
So for now that will be my workaround. Does anybody know what does not function when WMI Audit is set to 0?
 



#8 CORbills

CORbills

    Newbie

  • Members
  • Pip
  • 6 posts

Posted 01 June 2018 - 11:21 PM

Any chance of input from a moderator or other Netwrix employee on this?



#9 CORbills

CORbills

    Newbie

  • Members
  • Pip
  • 6 posts

Posted 15 October 2018 - 09:05 PM

Hello,

 

Are you able to read the Security log on the DCs when connecting from the ALE server via the Event Viewer?

Please open Event Viewer on the server where ALE is installed, right-click the top level, select 'Connect to another computer', specify the DC name then click 'Connect as another user' and specify the account with least privileges.

If you get 'Access denied' then the issue is related to your environment.

Disabling UAC on the ALE server is a good test as well.

 

Also please make sure that Manage auditing and security log policy you configured for the account is not being overwritten by other GPOs.

 

Let us know the results.

AndreyK

 

AndreyK, any idea how to get Netwrix Moderators to engage on this topic?






0 user(s) are reading this topic

0 members, guests, anonymous users