Submit a ticketCall us

Looking to compare latest NPM features with previous versions of NPM?
The NPM new feature summary offers a comparison of new features and improvements offered with this release.

 

Home > Success Center > User Device Tracker (UDT) > No User login information found in UDT

No User login information found in UDT

Created by Jason Ferree, last modified by MindTouch on Jun 23, 2016

Views: 51 Votes: 0 Revisions: 11

Overview

User login information is not displayed in User Device Tracker (UDT).

Environment

All UDT versions in Windows 2003, 2008 and/or 2012 R2 servers

Cause

The following are the possible causes for this issue:

  • Auditing of user logins are not defined and UDT is looking for event IDs 4768 and 4769 from Windows 2008 and\or 2012 AD servers.
  • Auditing of user logins are not defined and UDT is looking for event IDs 768 and 769 from Windows 2003 AD
  • UDT is not able to poll data as it is not connected to the event log in the Domain Controller.
  • Windows Firewall could be stopping RPC and WMI connection from the Orion server on Domain Controllers
  • IPv6 to IPv4 translation fails

Resolution

Refer to the following resolution information to resolve this issue. If 

Auditing of user logins are not defined

To get the event IDs 4768 and 4769 working using Group Policy on Windows 2012 R2 servers, the Domain Controllers need to have the settings defined under Advanced Audit Policy Configuration instead of under Basic Audit Policy.

When attempting to use Basic Audit Policy, the selections within the policy (Success, Failure) is being saved (or ticked) but reverts (to unticked) after 15 minutes. The settings need to be defined under Advanced Audit Policy for the selections to be saved.

Use the following settings under Advanced Audit Policy Configuration:

Event 4768

1. Go to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Account Logon > Audit Kerberos Authentication Service.

2. Define the policy and choose both Success and Failure.

Event 4769

1. Go to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Account Logon > Audit Kerberos Service Ticket Operations.

2. Define the policy and choose both Success and Failure.

 

Advanced Audit Policy Configuration overrides the settings in Basic Audit Policy.  This is true unless the Administrator has the following policy defined:

Computer Configuration > Policies > Security Settings > Local Policies > Security Options > Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings.

Set to Disable to allow both policies to apply.

 

The Default Domain Controllers Policy was also defining the settings of the following items:

Events 4768/4769 – Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Audit Policy > Audit account logon events).

It was defined, however neither option (Success, Failure) was checked.

Undefine this policy in the Default Domain Controllers Policy since it is replaced with another Group Policy Object that utilized the Advanced Auditing Policy.

UDT is not able to poll the data

The following information is described in the Administator Guide.

Setting up Polling of User Data Across Domains

Enabling UDT to poll user data—essentially, by retrieving event log data—on an 
AD domain controller outside the local domain of the UDT server requires setup
both in UDT and the AD domain controller.
UDT supports the following methods for getting event log data from another
domain:

  • Eventing6

This is the preferred method and depends on the AD domain controller
running Windows 2008 R2.

  • WMI

This method is supported across Windows platforms.


UDT collects user information through a scheduled job (REL). Two settings — UDT.GetUserInfoThroughWMIForEventing6 (turned-off by default), UDT.GetUserInfoThroughWMI (turned-on by default and should not be changed) — determine how UD collects the information.

Defining Credentials for Polling Accross Domains

Keep in mind these requirements when you set-up your credentials for accessing an AD domain controller outside the local UDT server domain.

  • The UDT user account must be part of the target domain.
  • The UDT user account must either be a member of the Administrators group on the target domain controller or a limited account with privileges to access the remote security event log and directory service on the remote domain controller. If UDT is using a limited account the account must be a member of these groups:
    • Domain Users
    • Distributed COM Users
    • Event Log Readers
  • The UDT account must be able to access certain WMI namespaces. See the section “Setting WMI Namespace Security”.

Setting WMI Namespace Security

You configure access to WMI namespaces through these steps on the target AD domain controller.

1. Open Administrative Tools (Control Panel > Administrative Tools)
2. Double-click Computer Management.
3. Expand the Services and Applications and double click WMI Control.
4. Right click WMI Control, and then select Properties.
5. On the Security tab, expand the tree under Root.
6. Select CIMv2 and then click Security.
7. Click Advanced.
8. Click Add.
9. Enter the account name in the text box and then click OK.
10. Confirm that Apply to is set to This namespace and subnamespaces.
11. Select the Allow check boxes for Execute Methods, Enable Account, and
Remote Enable.
12. Click OK.
13. Select the directory and then click Security.
14. Repeat steps 7-12 if you need to setup additional namespaces.


Note: The Custom Security Descriptor (CustomSD) in Windows 2003 Server may obstruct retrieval of user data even though the connection is open.

After you have the desired account setup for WMI access on the AD domain controller, you can add the account credentials to UDT. To do that, see “Adding a New AD Credential”.

 

Windows Firewall

 Windows firewall could stop RPC connection and still give a false positive about WMI access and polling OK/Test DC successful

Troubleshoot Firewall steps:

1. RDP/login to the orion server 

2. Open up event viewer 

3. Click 'Connect to Another Computer...'

eventvwrconnect.PNG

4. Enter Address of Domain Controller(windows networking), check the box as 'Connect as another user:'

eventvwruser.PNG

5. Click 'Set User', enter credentials used to poll Domain Controllers

6. Expand Windows Logs, Check to see if Security logs show 4768, 4769 eventing 5, eventing 6

  • If access denied error shows or RPC server is unavailable check firewall

eventvwrerror.PNG

 

Last modified
04:02, 23 Jun 2016

Tags

Classifications

Public