
Account Lockout Examiner - Service account denied reading logs on 2 DC's
#1
Posted 06 June 2014 - 03:13 PM
I have 10 DC's and on just two of the DC's the service account is "Access Denied" when trying to read the logs asd one DC is reading "Quota Violation". the account i am using is a Domain Admin account and has no issues at all with the other 7 DC's. My domain funtional level is 2003 as 8 of my 10 DC's are 2003 the other two are 2008 R2. the two where access is denied are 2003.
i do not know how to troubleshoot this. the service account i set to collect logs is able to log on to the server locally. since it is a DC there are no local admin groups to add the user account to. there is nothing in the event viewer on the 3 troubled DC's pertaining to this. Netwrix phone support won't help me either even though i have paid for other products from them.
how do i trouble shoot this???
thanks in advance
Mike
#2
Posted 06 June 2014 - 04:34 PM
Try to connect to problematic DCs with the Event Viewer using your service account. Also check if the service account has Manage auditing and security log user rights, try to perform steps from the following KB: https://www.netwrix.com/kb/1396
#3
Posted 06 June 2014 - 04:42 PM
Hi Menz,
Try to connect to problematic DCs with the Event Viewer using your service account. Also check if the service account has Manage auditing and security log user rights, try to perform steps from the following KB: https://www.netwrix.com/kb/1396
Thank you for the reply. i looked at that article.... it referes to an account that is NOT a domain admin. the account i am using IS a domain admin. Being that it is a domain admin it is already part of the "manage auditing and security logs" group (yes i checked and verified). so.... the steps in the article are not necessary as it is already a domain admin account.
any other ideas for me to try?
#4
Posted 06 June 2014 - 04:45 PM
Thank you for the reply. i looked at that article.... it referes to an account that is NOT a domain admin. the account i am using IS a domain admin. Being that it is a domain admin it is already part of the "manage auditing and security logs" group (yes i checked and verified). so.... the steps in the article are not necessary as it is already a domain admin account.
any other ideas for me to try?
What about connect with Event Viewer? Were you able to connect?
#5
Posted 06 June 2014 - 04:51 PM
#6
Posted 10 June 2014 - 04:19 PM
#7
Posted 01 July 2014 - 07:07 PM
#8
Posted 13 October 2014 - 05:17 PM
- Open the Registry Editor (navigate to Start --> Run and type regedit).
- Navigate to HKEY_LOCAL_MACHINE --> SOFTWARE --> NetWrix --> Account Lockout Examiner (Wow6432Node only for x64 OS)
- Locate the readlog key and set its value to 0.
- Create a new key called UseWatcher, set its type to DWORD and value to 1.
- Restart NetWrix Account Lockout Examiner Service via services.msc
Also try to connect to problematic DC namespace root\cimv2 with wbemtest tool.
#9
Posted 13 October 2014 - 06:34 PM
#10
Posted 19 December 2016 - 10:51 PM
Menz,
- Open the Registry Editor (navigate to Start --> Run and type regedit).
- Navigate to HKEY_LOCAL_MACHINE --> SOFTWARE --> NetWrix --> Account Lockout Examiner (Wow6432Node only for x64 OS)
- Locate the readlog key and set its value to 0.
- Create a new key called UseWatcher, set its type to DWORD and value to 1.
- Restart NetWrix Account Lockout Examiner Service via services.msc
Also try to connect to problematic DC namespace root\cimv2 with wbemtest tool.
The above registry change worked for me. I hope this helps someone else.