1-949-407-5125
I just started to use Account Lockout Examiner and it works very well except for one user and her workstation.
Account Lockout Examiner will show that this user is locked out. However upon performing an examination I receive the following errors......
Examining computer HO-COMP-1553LEN for potential usage of stale credentials for BTS\KarinaM…
Examining COM objects Failed due to the following error: The RPC server is unavailable. (Exception from HRESULT: 0x800706BA)
Connecting to registry... Failed due to the following error: The RPC server is unavailable. (Exception from HRESULT: 0x800706BA)
Examining Windows services… ok, nothing found
Examining scheduled tasks... Failed due to the following error: No mapping between account names and security IDs was done. (Exception from HRESULT: 0x80070534)
Getting tasks of account... Failed due to the following error: No mapping between account names and security IDs was done. (Exception from HRESULT: 0x80070534)
Examining logon sessions... Failed due to the following error: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
Examining network drive mappings… Failed due to the following error: The RPC server is unavailable. (Exception from HRESULT: 0x800706BA)
Getting HKEY_USERS on HO-COMP-1553LEN... Failed due to the following error: The RPC server is unavailable. (Exception from HRESULT: 0x800706BA)
Examining invalid logons... ok, nothing found
Done
I tried examining other servers and workstation. NO errors. Please help diagnose this issue.
Thanks
Hector.
Account Lockout Examiner - Examination Error
Started by
Hector
, Dec 17 2013 04:46 PM
4 replies to this topic
#2
jeffb
-
- Administrators
-
- 384 posts
Advanced Member
- Gender:Male
Posted 17 December 2013 - 08:58 PM
Hector,
RPC Server not available means that the workstation you are examining is not available over Remote Procedure Calls. This could be for MANY reasons. The most common are that the RPC services on the remote computer are not started, Remote Registry service is not started, workstation/server needs rebooted, there is no network connection between the netwrix server and that particular workstation, it is a DNS issue and you are unable to ping the netname of the box etc. As stated this is only happening with one workstation so this should tell you that this is an issue outside of the product so all we can really do is make suggestions on what it 'could' be.
-Jeff
RPC Server not available means that the workstation you are examining is not available over Remote Procedure Calls. This could be for MANY reasons. The most common are that the RPC services on the remote computer are not started, Remote Registry service is not started, workstation/server needs rebooted, there is no network connection between the netwrix server and that particular workstation, it is a DNS issue and you are unable to ping the netname of the box etc. As stated this is only happening with one workstation so this should tell you that this is an issue outside of the product so all we can really do is make suggestions on what it 'could' be.
-Jeff
#3
Hector
-
- Members
-
- 3 posts
Newbie
Posted 18 December 2013 - 06:57 PM
Hey Jeff,
I did the following troubleshooting steps:
1. made sure any services related to RPC as you had suggested is started.
2. I used portqry to make that the port TCP port 135 is listening which it is.
For steps 1 and 2 I used the following article: https://social.techn...by_RPC_are_open
3. I ping by name and IP so I do not think it is a DNS issue.
I noticed that my machine(windows 7 Pro) does not give the same errors, neither do windows 2003 or windows 2008.
However when I connected to other window 7 pro machines I can replicate the issue.
So I matched my services to the other windows 7 PCs and now I this is what the output of the examination:
xamining computer HO-SYS-1552T340 for potential usage of stale credentials for BTS\hgadmin…
Examining COM objects ok, nothing found
Examining Windows services… ok, nothing found
Examining scheduled tasks... ok, nothing found
Examining logon sessions... Failed due to the following error: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
Examining network drive mappings… Failed due to the following error: The RPC server is unavailable. (Exception from HRESULT: 0x800706BA)
Getting HKEY_USERS on HO-SYS-1552T340... Failed due to the following error: The RPC server is unavailable. (Exception from HRESULT: 0x800706BA)
Examining invalid logons... ok, nothing found
Done
The access is denied is confusing since I am a domain admin.
Also are there other ports I need to have open???????????
THanks
Hector.
I did the following troubleshooting steps:
1. made sure any services related to RPC as you had suggested is started.
2. I used portqry to make that the port TCP port 135 is listening which it is.
For steps 1 and 2 I used the following article: https://social.techn...by_RPC_are_open
3. I ping by name and IP so I do not think it is a DNS issue.
I noticed that my machine(windows 7 Pro) does not give the same errors, neither do windows 2003 or windows 2008.
However when I connected to other window 7 pro machines I can replicate the issue.
So I matched my services to the other windows 7 PCs and now I this is what the output of the examination:
xamining computer HO-SYS-1552T340 for potential usage of stale credentials for BTS\hgadmin…
Examining COM objects ok, nothing found
Examining Windows services… ok, nothing found
Examining scheduled tasks... ok, nothing found
Examining logon sessions... Failed due to the following error: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
Examining network drive mappings… Failed due to the following error: The RPC server is unavailable. (Exception from HRESULT: 0x800706BA)
Getting HKEY_USERS on HO-SYS-1552T340... Failed due to the following error: The RPC server is unavailable. (Exception from HRESULT: 0x800706BA)
Examining invalid logons... ok, nothing found
Done
The access is denied is confusing since I am a domain admin.
Also are there other ports I need to have open???????????
THanks
Hector.
#4
Hector
-
- Members
-
- 3 posts
Newbie
Posted 18 December 2013 - 08:03 PM
Jeff,
Another thing to point out regarding the issue:
Service account that netwrix uses is part of the local administrator group and not part of a group within the local administrator group.
I check the security event logs on the destination computer and it shows logon successful and no errors.
Thanks
Hector.
Another thing to point out regarding the issue:
Service account that netwrix uses is part of the local administrator group and not part of a group within the local administrator group.
I check the security event logs on the destination computer and it shows logon successful and no errors.
Thanks
Hector.
#5
jeffb
-
- Administrators
-
- 384 posts
Advanced Member
- Gender:Male
Posted 19 December 2013 - 12:07 PM
Hector,
The following information is everything we have on ports, RPC errors and Access Denied for Account Lockout Examiner examinations:
https://www.netwrix.com/kb/1394
https://www.netwrix.com/kb/1024
https://www.netwrix.com/kb/1523
You could also check those few things it fails on manually and it may be quicker since you are logging into that workstation/server manually checking services anyways.
Also the Security Event on the workstation that is used to determined the source of the lockout is event 4740 so you can also pull up this event manually. If the event does not give the source of the lockout then other tools are necessary to supplement your investigation such as various powershell scripts and networking tools that can be found out there.
-Jeff
The following information is everything we have on ports, RPC errors and Access Denied for Account Lockout Examiner examinations:
https://www.netwrix.com/kb/1394
https://www.netwrix.com/kb/1024
https://www.netwrix.com/kb/1523
You could also check those few things it fails on manually and it may be quicker since you are logging into that workstation/server manually checking services anyways.
Also the Security Event on the workstation that is used to determined the source of the lockout is event 4740 so you can also pull up this event manually. If the event does not give the source of the lockout then other tools are necessary to supplement your investigation such as various powershell scripts and networking tools that can be found out there.
-Jeff
