9 replies to this topic

[Menz]

Hello,
I have 10 DC's and on just two of the DC's the service account is "Access Denied" when trying to read the logs asd one DC is reading "Quota Violation". the account i am using is a Domain Admin account and has no issues at all with the other 7 DC's. My domain funtional level is 2003 as 8 of my 10 DC's are 2003 the other two are 2008 R2. the two where access is denied are 2003.

i do not know how to troubleshoot this. the service account i set to collect logs is able to log on to the server locally. since it is a DC there are no local admin groups to add the user account to. there is nothing in the event viewer on the 3 troubled DC's pertaining to this. Netwrix phone support won't help me either even though i have paid for other products from them.

how do i trouble shoot this???

thanks in advance

Mike

[Administrator]

Hi Menz,
Try to connect to problematic DCs with the Event Viewer using your service account. Also check if the service account has Manage auditing and security log user rights, try to perform steps from the following KB: https://www.netwrix.com/kb/1396

[Menz]

Hi Menz,
Try to connect to problematic DCs with the Event Viewer using your service account. Also check if the service account has Manage auditing and security log user rights, try to perform steps from the following KB: https://www.netwrix.com/kb/1396

Thank you for the reply. i looked at that article.... it referes to an account that is NOT a domain admin. the account i am using IS a domain admin. Being that it is a domain admin it is already part of the "manage auditing and security logs" group (yes i checked and verified). so.... the steps in the article are not necessary as it is already a domain admin account.

any other ideas for me to try?

[Administrator]

Thank you for the reply. i looked at that article.... it referes to an account that is NOT a domain admin. the account i am using IS a domain admin. Being that it is a domain admin it is already part of the "manage auditing and security logs" group (yes i checked and verified). so.... the steps in the article are not necessary as it is already a domain admin account.

any other ideas for me to try?

What about connect with Event Viewer? Were you able to connect?

[Menz]

yes i am able to connect to the event viewer on both problematic DC's using the event viewer from my local machine but using the service account as the user

[Menz]

any update for me??

[Menz]

still no update for me..... is this support forum dead???

[Administrator]

Menz,

• Open the Registry Editor (navigate to Start --> Run and type regedit).
• Navigate to HKEY_LOCAL_MACHINE --> SOFTWARE --> NetWrix --> Account Lockout Examiner (Wow6432Node only for x64 OS)
• Locate the readlog key and set its value to 0.
• Create a new key called UseWatcher, set its type to DWORD and value to 1.
• Restart NetWrix Account Lockout Examiner Service via services.msc

Also try to connect to problematic DC namespace root\cimv2 with wbemtest tool.

[Menz]

well.... thanks for the reply but..... this was over 3 months ago. i have (in the 3 months that i was waiting for an answer) since decommisioned the problematic DC's and removed them from my domain. i have no idea if your above answer will work, just wish i got it 3 months ago so i could tell future users that may have this issue.

[mattsim]

Menz,

• Open the Registry Editor (navigate to Start --> Run and type regedit).
• Navigate to HKEY_LOCAL_MACHINE --> SOFTWARE --> NetWrix --> Account Lockout Examiner (Wow6432Node only for x64 OS)
• Locate the readlog key and set its value to 0.
• Create a new key called UseWatcher, set its type to DWORD and value to 1.
• Restart NetWrix Account Lockout Examiner Service via services.msc

Also try to connect to problematic DC namespace root\cimv2 with wbemtest tool.

 

 

The above registry change worked for me. I hope this helps someone else.