Jump to content


Photo

Account Lockout Examiner - Examination Error


  • Please log in to reply
4 replies to this topic

#1 Hector

Hector

    Newbie

  • Members
  • Pip
  • 3 posts

Posted 17 December 2013 - 04:46 PM

I just started to use Account Lockout Examiner and it works very well except for one user and her workstation.

Account Lockout Examiner will show that this user is locked out. However upon performing an examination I receive the following errors......

Examining computer HO-COMP-1553LEN for potential usage of stale credentials for BTS\KarinaM…
Examining COM objects Failed due to the following error: The RPC server is unavailable. (Exception from HRESULT: 0x800706BA)
Connecting to registry... Failed due to the following error: The RPC server is unavailable. (Exception from HRESULT: 0x800706BA)
Examining Windows services… ok, nothing found
Examining scheduled tasks... Failed due to the following error: No mapping between account names and security IDs was done. (Exception from HRESULT: 0x80070534)
Getting tasks of account... Failed due to the following error: No mapping between account names and security IDs was done. (Exception from HRESULT: 0x80070534)
Examining logon sessions... Failed due to the following error: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
Examining network drive mappings… Failed due to the following error: The RPC server is unavailable. (Exception from HRESULT: 0x800706BA)
Getting HKEY_USERS on HO-COMP-1553LEN... Failed due to the following error: The RPC server is unavailable. (Exception from HRESULT: 0x800706BA)
Examining invalid logons... ok, nothing found
Done

I tried examining other servers and workstation. NO errors. Please help diagnose this issue.

Thanks
Hector.

#2 jeffb

jeffb

    Advanced Member

  • Administrators
  • PipPipPip
  • 384 posts
  • Gender:Male

Posted 17 December 2013 - 08:58 PM

Hector,

RPC Server not available means that the workstation you are examining is not available over Remote Procedure Calls. This could be for MANY reasons. The most common are that the RPC services on the remote computer are not started, Remote Registry service is not started, workstation/server needs rebooted, there is no network connection between the netwrix server and that particular workstation, it is a DNS issue and you are unable to ping the netname of the box etc. As stated this is only happening with one workstation so this should tell you that this is an issue outside of the product so all we can really do is make suggestions on what it 'could' be.

-Jeff

#3 Hector

Hector

    Newbie

  • Members
  • Pip
  • 3 posts

Posted 18 December 2013 - 06:57 PM

Hey Jeff,

I did the following troubleshooting steps:

1. made sure any services related to RPC as you had suggested is started.
2. I used portqry to make that the port TCP port 135 is listening which it is.

For steps 1 and 2 I used the following article: https://social.techn...by_RPC_are_open

3. I ping by name and IP so I do not think it is a DNS issue.

I noticed that my machine(windows 7 Pro) does not give the same errors, neither do windows 2003 or windows 2008.

However when I connected to other window 7 pro machines I can replicate the issue.

So I matched my services to the other windows 7 PCs and now I this is what the output of the examination:

xamining computer HO-SYS-1552T340 for potential usage of stale credentials for BTS\hgadmin…
Examining COM objects ok, nothing found
Examining Windows services… ok, nothing found
Examining scheduled tasks... ok, nothing found
Examining logon sessions... Failed due to the following error: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
Examining network drive mappings… Failed due to the following error: The RPC server is unavailable. (Exception from HRESULT: 0x800706BA)
Getting HKEY_USERS on HO-SYS-1552T340... Failed due to the following error: The RPC server is unavailable. (Exception from HRESULT: 0x800706BA)
Examining invalid logons... ok, nothing found
Done

The access is denied is confusing since I am a domain admin.

Also are there other ports I need to have open???????????

THanks
Hector.

#4 Hector

Hector

    Newbie

  • Members
  • Pip
  • 3 posts

Posted 18 December 2013 - 08:03 PM

Jeff,

Another thing to point out regarding the issue:

Service account that netwrix uses is part of the local administrator group and not part of a group within the local administrator group.

I check the security event logs on the destination computer and it shows logon successful and no errors.

Thanks
Hector.

#5 jeffb

jeffb

    Advanced Member

  • Administrators
  • PipPipPip
  • 384 posts
  • Gender:Male

Posted 19 December 2013 - 12:07 PM

Hector,

The following information is everything we have on ports, RPC errors and Access Denied for Account Lockout Examiner examinations:

https://www.netwrix.com/kb/1394
https://www.netwrix.com/kb/1024
https://www.netwrix.com/kb/1523

You could also check those few things it fails on manually and it may be quicker since you are logging into that workstation/server manually checking services anyways.

Also the Security Event on the workstation that is used to determined the source of the lockout is event 4740 so you can also pull up this event manually. If the event does not give the source of the lockout then other tools are necessary to supplement your investigation such as various powershell scripts and networking tools that can be found out there.

-Jeff




0 user(s) are reading this topic

0 members, guests, anonymous users