Jump to content


Photo

Audit status of "Access is denied" even with all KB 1396 changes in place


  • Please log in to reply
4 replies to this topic

#1 CORbills

CORbills

    Newbie

  • Members
  • Pip
  • 3 posts

Posted 15 May 2018 - 08:53 PM

We are trying to get ALE working with a dedicated service account along "least permissions" model rather than using a user account in Domain Admins. We have checked (and double checked) all changes match with https://www.netwrix.com/kb/1396and in addition have confirmed "Read access to HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Security on the monitored domain controller(s)" per the Quick Start Guide (page 8) is configured for the service account.

 

Connection shows as "OK" but Audit Status shows as "Access is denied."

As a test we changed to an account in Domain Admins group and it worked without this issue. I am certain the changes in https://www.netwrix.com/kb/1396 are in place for the account in question.

 

What else should I look into? DCs are 2012 R2 (only using PDCe at this time) and ALE running on Server 2016 Standard VM.

 

EDIT: In addition, if I add the dedicated service account to Built-In "Administrators" group in AD, which of course adds a lot more permissions on the DCs, it works fully as well. This also suggests the audit settings are correct but for some reason not readable by the dedicated service account created according to the linked KB article. What additional permission needs to be added to allow this to work?



#2 CORbills

CORbills

    Newbie

  • Members
  • Pip
  • 3 posts

Posted 16 May 2018 - 08:07 PM

Reading over some related posts, I saw http://forum.netwrix...?showtopic=2401and wonder if I need to disable UAC somewhere. Note that in my case, with the service account with least privilege granted per Netwrix KB referenced in original post, this never worked, and the need to disable UAC is not discussed.



#3 AndreyK

AndreyK

    Member

  • Members
  • PipPip
  • 14 posts

Posted 18 May 2018 - 02:06 PM

Hello,

 

Are you able to read the Security log on the DCs when connecting from the ALE server via the Event Viewer?

Please open Event Viewer on the server where ALE is installed, right-click the top level, select 'Connect to another computer', specify the DC name then click 'Connect as another user' and specify the account with least privileges.

If you get 'Access denied' then the issue is related to your environment.

Disabling UAC on the ALE server is a good test as well.

 

Also please make sure that Manage auditing and security log policy you configured for the account is not being overwritten by other GPOs.

 

Let us know the results.

AndreyK



#4 Rickh

Rickh

    Newbie

  • Members
  • Pip
  • 1 posts

Posted 18 May 2018 - 02:50 PM

Hi, I have the same problem on Win2012r2 Netwrix server and Win2012R2 DC's.

All the steps have been followed, checked and rechecked.

Netwrix only connects to the PDC but to be sure the WMI and DCOM settings have been set on all DC's.

The DC's have been rebooted.
Connecting with the service account to the DC eventviewer works without a problem.

Security Group settings are not overwritten by GPO.
I have manually given the service account read permissions on the DC regkey HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Security.
UAC is disabled on the Netwrix server via these registry settings, the Netwrix server has also been restarted;
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUE=0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy=1

 

Still the connection is OK but Audit status is Access denied.

What else can be done? Thank you.

 



#5 CORbills

CORbills

    Newbie

  • Members
  • Pip
  • 3 posts

Posted 18 May 2018 - 05:13 PM

Hello,

 

Are you able to read the Security log on the DCs when connecting from the ALE server via the Event Viewer?

Please open Event Viewer on the server where ALE is installed, right-click the top level, select 'Connect to another computer', specify the DC name then click 'Connect as another user' and specify the account with least privileges.

If you get 'Access denied' then the issue is related to your environment.

Disabling UAC on the ALE server is a good test as well.

 

Also please make sure that Manage auditing and security log policy you configured for the account is not being overwritten by other GPOs.

 

Let us know the results.

AndreyK

This works perfectly (opening Event Viewer, connecting to PDCe using configured service account, and viewing Security log) and my process and experience matches exactly those of Rickh who commented in this thread. except that I have not done the UAC disabling.






0 user(s) are reading this topic

0 members, guests, anonymous users