I'm having an issue with Netwrix Account Lockout Examiner Console. I have all the right Group Policy mods in place suggested by the Netwrix admin PDF but I'm still getting the "Logon auditing is disabled, some functionality will be unavailable for this DC. Please turn on auditing of invalid logons in audit policy settings for this DC."
I already re-installed the app and I also removed and re-added the DC in there multiple times but I'm still getting the same issue.
I also ran a gpupdate /force and tried again. i also removed the old .csv file that contained older settings. I'm not sure what else to do at this point.
I'm getting a secondary error when I run a basic examination of a lockout too. While the account is locked out, I'm getting an error in the Examining logon sessions where the result says "Failed due to the following error: This user can't sign in because this account is currently disabled. [Exception from HRESULT: 0x80070533.}
That only seems to happen while the account is locked out. The account is NOT disabled.
"Logon auditing is disabled, some functionality will be unavailable for this DC. Please turn on auditing of invalid logons in audit policy settings for this DC"
Log onto the server where Account Lockout Examiner (ALE) is installed and open an elevated command prompt. Run the following command and paste the output:
auditpol /get /category:*
In regards to:
"Failed due to the following error: This user can't sign in because this account is currently disabled. [Exception from HRESULT: 0x80070533"
What is the target workstation OS? Are there any related warnings in the system, security, application logs on this workstations? What user sessions were opened on the target workstation during examination?
The Workstation is a column in the interface. If it is blank then you can look on the domain controller for the 4740 event in the Security Event Log which has a workstation or caller computer name field. However, most likely it is blank as well which means Windows has no idea where it is coming from and may be a non Windows machine perhaps.
When I put in the account name and click on examine, it requires me to put a machine in. I select our main DC. I went ahead and ran that search. When the search results come up though, all that show up for the results for invalid logons are the DCs (especially repeatedly for the main one). Does this actually indicate that the issue lies with the main DC somehow?
if there is no Workstation specified in the product console for that lockout then the domain controller doesn't even have that information. Please see my previous reply in regards to the lockout event on the domain controller and the caller computer field...
I am having the same issue of DC's showing auditing is disabled in Lockout Examiner but if I run RSOP I can see that auditing is enabled via our top level default domain policy as well as the default domain controller policy. Any ideas?