Windows account used by nodes.

OK, totally new to solarwinds. I have been given a task to change the account used by windows boxes.

how do I find what account each windows node is using. Is there a setting anywhere that specifies 

I seen the account listed under the 'Credentials Library'. Is this it ? Does each node need to be told to use this account ?

Hope that makes some form of sense :-)

Parents
  • Hey, thanks for the reply. I fell at the first hurdle .!

    getting this when i execute the copied and pasted query. 

    SELECT TOP 1000 * FROM [dbo].[Credential] 

    Msg 208, Level 16, State 1, Line 1
    Invalid object name 'dbo.Credential'.

  • I'm getting confused here. If I go onto the solarwinds box and check evnt log security

    A logon was attempted using explicit credentials.

    Subject:
    Security ID: SYSTEM
    Account Name: SYSTEM
    Account Domain: NT AUTHORITY
    Logon ID: 0x8D30A1511
    Logon GUID: {00000000-0000-0000-0000-000000000000}

    Account Whose Credentials Were Used:
    Account Name: I<Service account>
    Account Domain: group1
    Logon GUID: {00000000-0000-0000-0000-000000000000}

    Target Server:
    Target Server Name: server1.domain.com
    Additional Information: server1.domain.com

    Process Information:
    Process ID: 0x9164
    Process Name: C:\Program Files (x86)\Common Files\SolarWinds\JobEngine.v2\SWJobEngineWorker2.exe

    From the above, I assumed solarwinds is connecting to Server1 using <service-account.>

    But when I check server1 node settings. Its only using SNMP,  not WMI & nowhere in the settings does it specify the <service account>.. What am i missing ?

  • Do you have any application monitoring against server1 that use that service account?

  • yeah, but struggling to find where the credentials go.

  • When viewing the application in orion press "edit application montitoring" (if button does not exist you are not SAM admin)

    In there, expand the component configuration and look for "Credential for moniotirng". Each type of component can differ in how it looks.

    The credential name here is not the same as for nodes. You find them under Settings/all settings/ sam settings /credential library

  • Ah, got it. Lookslike its using hte credential specified on the template. I gues I just need to update the template with the new service account and if it inherits from template , that should be it.

    Thanks again.

  • Hi Joe,

    We can create a report for which node monitoring with service account. Kindly create a report used the below SQL query. Please find the below details. you can easily identified the service accounts. 

    Select Nodes.IP_Address, Nodes.Caption, Nodes.Domain_name, Nodes.Node_type, Nodes.status, Credential.Name from Credential

    inner join NodeSettings on Credential.ID=NodeSettings.SettingValue

    inner join Nodes on NodeSettings.NodeID=Nodes.NodeID

    where NodeSettings.SettingName='WMICredential'

    Regards. 

  • IT looks like the WMIcredentail uses another account. The application components list the correct account i am interested in. That reports shows me other service accounts for the nodes. (if that makes sense)

  • Managed to get this which does the job

    SELECT n.NodeID, n.Caption as Node, a.ID as ApplicationID, a.Name as [Application], c.ID as ComponentId, c.Name as Component,
    cts.Value as TemplateCredId, cs.[Value] as OverridenCredId, cred.Name as CredName
    FROM APM_Component c
    INNER JOIN APM_Application a ON c.ApplicationID = a.ID
    INNER JOIN Nodes n ON a.NodeID = n.NodeID
    LEFT JOIN APM_ComponentSetting cs ON cs.ComponentID = c.ID AND cs.[Key] = '__CredentialSetId'
    LEFT JOIN APM_ComponentTemplate ct ON ct.ID = c.TemplateID
    LEFT JOIN APM_ComponentTemplateSetting cts ON cts.ComponentTemplateID = ct.ID AND cts.[Key] = '__CredentialSetId'
    LEFT JOIN [Credential] cred ON cred.ID = ISNULL(cs.Value, cts.Value)
    WHERE Cred.Name IS NOT NULL

  • Yes Correct this job is good. looks like we are able to see the all application credentials in console. 

    Thanks Joeshmoe. 

  • You're seeing this event in the Windows Security logs of your Orion application server specifically because the "SolarWinds Job Engine v2" service is running as "Local System" account.

    This is different from the credentials that would be used to actually monitor nodes or applications, which is what the previously references queries will show you. (That's still a very useful query to keep handy!)

    Per Microsoft's documentation (4648(S) A logon was attempted using explicit credentials. (Windows 10) - Windows security | Microsoft Docs) this is normally logged as a part of normal operations. 

    "This event is generated when a process attempts an account logon by explicitly specifying that account’s credentials.

    "This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the “RUNAS” command.

    "It is also a routine event which periodically occurs during normal operating system activity."

    Hope this helps answer your question!

Reply
  • You're seeing this event in the Windows Security logs of your Orion application server specifically because the "SolarWinds Job Engine v2" service is running as "Local System" account.

    This is different from the credentials that would be used to actually monitor nodes or applications, which is what the previously references queries will show you. (That's still a very useful query to keep handy!)

    Per Microsoft's documentation (4648(S) A logon was attempted using explicit credentials. (Windows 10) - Windows security | Microsoft Docs) this is normally logged as a part of normal operations. 

    "This event is generated when a process attempts an account logon by explicitly specifying that account’s credentials.

    "This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the “RUNAS” command.

    "It is also a routine event which periodically occurs during normal operating system activity."

    Hope this helps answer your question!

Children
No Data