-
Re: Active Directory Credentials
The account must be member of "Event Log Readers" group (Windows 2k8) or have access to the Security log at least. If possible, try some admin account to see if you are able to pull the data from domain controller. If that works, change to the account with restricted rights.
I'll also take a look at the help link.
Bedrich
-
Re: Active Directory Credentials
My admin account did not work. Our AD people don't understand how giving access to the Event log will populate the AD information about each node.
Rick
-
Re: Active Directory Credentials
Same issue, I have it configured with a Domain Admin account and it does not pull in the info.
-
-
Re: Active Directory Credentials
DanielleH
Dec 6, 2011 10:40 AM
Hi Rick and Chris--
Yes, would you please open a support ticket for this? Please post back with your ticket # and keep us updated with your progress and any solutions you receive from support.
Thank you,
DH-
-
Re: Active Directory Credentials
Couple of ideas what you can try:
1) Connect to the domain controller you want to poll, run Event Viewer and check there are events with ID 4768, 4769 (Win2k8) or 672, 673 (Win2k3) in the Security log. Those are the events UDT is looking for. Also verify those events are not older than 30 minutes (on the first poll of DC, UDT pulls only events from "now (DC time)" to "now (DC time) - 30 minutes" interval; on subsequent polls, it always continues reading where it stopped before).
2) Go to AddNode wizard, enter the IP address of the domain controller, select the "Active Directory Domain Controller" option and enter the credentials you want to use. Hit the "Test" button. If the test is successful, then UDT is able to poll the domain controller with those credentials. And if the Security log on the DC contains the correct events (see above), UDT should be able to display user data.
3) Go to UDT Discovery wizard. On the first tab (Add AD credentials) enter the credentials you want to use and hit "Test" button. If the test is successful, then UDT should be able to discover your domain controllers during UDT discovery.
So please try these steps and let me know what worked/didn't work for you.
Thanks, Bedrich
-
Re: Active Directory Credentials
I checked my Win2k8 servers and there is not neither 4768 nor 4769 instead of them I am getting 4624 for logon and 4634 for logoff. There is any way to change the events that the UDT is looking for...
-
Re: Active Directory Credentials
Please check this KB article and let me know if that helped:
Thanks
-
Re: Active Directory Credentials
Same here, only 4624/4634 events.
I checked the link above and it's configured as it should be but no 4768/4769 events.
-
-
-
-
-
-
-
-
-
-
Re: Active Directory Credentials
Rickg, you have to do following:
- Create some account which you will use to access logs
- Make this account member of AD Builtin group "Event Log Readers"
- Ensure that this setting is replicated to target DC (which you will use for test)
- Enable 3 rules at Windows firewall on domain controller with names starting with "Remote event log management"
- Try to use this account from within UDT. It should work instantly
You can use mmc with event viewer snapin to test, if your new account has rights and ability to read security log on target DC. If you cannot access log remotly using event viewer, it is pointless to try setup UDT. I spent many hours trying to setup UDT just because I forgot to open firewall and it is not stated in UDP documentation...
If you doesn't open firewall, then UDT behavior depends on setup of your account. If you use just regular user account which is member of "Event Log Readers", then this account will be refused as early as you will test it in node configuration. If you use domain admin account, then it will pass the test (after 10-20 seconds) but log reading will not work and you may find "RPC Unavailable" messages in UDT jobs log.
-
Re: Active Directory Credentials
1 of 1 people found this helpfulSo here is the fix guys:
If you are seeing an issue where AD is polling, and you do not receive user information from Domain Controllers, issue could be UDT is not seeing the current event codes.
UDT searches for 4768/4769. Often times if you see the AD server publishing event codes of 4624/4634 or any other codes, you might want to ensure that you enable Kerberos. Upon enabling this, you should then be able to see the user logins.
1) Run Group Policy Management Editor on the domain controller, and navigate to the following node:
Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Audit Policy. Once you expand the node, you will see a list of possible audit categories you can configure:
2) Make sure "Audit account logon events" and "Audit logon events" are defined
3) In some environments, it may be necessary to configure Kerberos Authentication service. Go to Security Settings\Advanced Audit Policy Configuration\Audit Policies\Account Logon, and make sure the two items containing "Kerberos" are defined
4) Make sure the Event Log on the domain controller that is being monitored by UDT is not full and new events can be added (overwriting old events is not forbidden)
