Hello
when I set up NT Error Log checks, some servers are OK but others give me the message "error 5 access is denied"
On these machines when I begin to set up the test, it says that the list of logs can't be retrieved from the server and it will use the local ones. That should have given me some indication I guess. The hostmonitor machine runs as a service, config and monitoring is done logged in as the domain admin user and the "connect as" parameters can all be left blank for the servers that work. For the ones that don't, "connect as" using the domain admin account credentials doesn't work either.
The servers I can't "see" are local to the hostmon (same subnet) and the ones I reach OK are on other remote subnets. Very strange. All other tests using UNC such as disk free space work fine on all subnets.
code 5 - access is denied
-
KS-Soft Europe
- Posts: 2832
- Joined: Tue May 16, 2006 4:41 am
- Contact:
Re: code 5 - access is denied
Could you provide more information, please?
- What version of HostMonitor do you use?
- What Windows do you use? Service Pack?
- What Windows is installed on problem server?
Could you check the "Security Log" using Event Viewer applet on target machine to verify what account HostMonitor is using to connect to the server?
Regards,
Max
- What version of HostMonitor do you use?
- What Windows do you use? Service Pack?
- What Windows is installed on problem server?
Have you specified domain admins account into "Options" -> "Service" tab? Please, make sure HostMonitor (service) is able to use specified account. Please check NT Event log. Do you see message from HostMonitor, like "Logged on as user ..."?gelita-apa wrote:The hostmonitor machine runs as a service, config and monitoring is done logged in as the domain admin user and the "connect as" parameters can all be left blank for the servers that work.
Could you disable "Connect as" option and try to use "Connection Manager"? http://www.ks-soft.net/hostmon.eng/mfra ... htm#conmgrgelita-apa wrote:The servers I can't "see" are local to the hostmon (same subnet) and the ones I reach OK are on other remote subnets. Very strange. All other tests using UNC such as disk free space work fine on all subnets.
Could you check the "Security Log" using Event Viewer applet on target machine to verify what account HostMonitor is using to connect to the server?
Regards,
Max
-
gelita-apa
- Posts: 4
- Joined: Wed Mar 12, 2008 7:54 pm
Thanks Max
FYI - HM 7.10 running on XP SP2, all servers Win2K3SP2. Target servers with the problem were all DCs but not all DCs complained / refused. Error on the Security log of the target machines that did refure connection was ID 673.
Now running the service as the domain admin, working and no longer require "connect as" so I won't bother setting up connection manager for now.
Will advise if the problem re-occurs.
FYI - HM 7.10 running on XP SP2, all servers Win2K3SP2. Target servers with the problem were all DCs but not all DCs complained / refused. Error on the Security log of the target machines that did refure connection was ID 673.
Now running the service as the domain admin, working and no longer require "connect as" so I won't bother setting up connection manager for now.
Will advise if the problem re-occurs.
-
KS-Soft Europe
- Posts: 2832
- Joined: Tue May 16, 2006 4:41 am
- Contact:
This implies that the the local system account option is invalid. If so why even have the local system account as an option?gelita-apa wrote:Thanks Max
FYI - HM 7.10 running on XP SP2, all servers Win2K3SP2. Target servers with the problem were all DCs but not all DCs complained / refused. Error on the Security log of the target machines that did refure connection was ID 673.
Now running the service as the domain admin, working and no longer require "connect as" so I won't bother setting up connection manager for now.
Will advise if the problem re-occurs.
I have a suggestion, one that will avoid requiring that the user log on with administrative privileges in order to operate the AHM server, and automates the process I've already implemented manually.
During installation or in the Options menu, if the user chooses to install AHM as a service you should have the user/admin select a service account or automate the creation of a service account. This could be automated or you could point the user to the appropriate instructions on how to do so.
Then, the user can:
a. Choose to use an existing local/domain account or create a new non-domain admin service account.
b. Add the newly created service account to the Domain Admins group if they choose, or
c. Create a domain group for this and comparable service accounts, appoint the service account to that group, & assign appropriate permissions to that group.
From a security perspective this allows the service to run in spite of the user logged in, and allows the domain admin to create policies around the service account or service group.
This also allows:
a. This account can be set as the default "Run as" account
b. A user can be designated with permissions to log onto the AHM server and create new tests without knowing the all powerful service account info - an appropriate delegation of authority in some environments.
If you want to take it further you could have a 'test' service account and a seperate 'action' service account, but I'll let you guys digest this first.
Service should be started undel local system account, otherwise service cannot interact with desktop. At the same time you should provide admin account using HostMonitor Options dialog; HostMonitor will use this account after service startup. Such trick is necessary because local system account does not have rights to use network functions. This is how Windows works...This implies that the the local system account option is invalid. If so why even have the local system account as an option?
Actually Windows Vista and Windows 2008 does not allow any service to interact with user's desktop
This means you have only one option to manage HostMonitor installed in service mode: RCChttp://www.ks-soft.net/hostmon.eng/rcc/index.htm
Ok, there is one more option: stop service, start application, change settings, close application, start service. It does not look like convenient option.
Well, user does not need administrative privileges in order to operate the AHM server. User needs administrative privileges to setup service, then HostMonitor can be managed locally or remotely under any account.I have a suggestion, one that will avoid requiring that the user log on with administrative privileges in order to operate the AHM server, and automates the process I've already implemented manually.
Yes, I think you are right. A lot of people does not read the manual, such option will save our and customers time.During installation or in the Options menu, if the user chooses to install AHM as a service you should have the user/admin select a service account or automate the creation of a service account. This could be automated or you could point the user to the appropriate instructions on how to do so.
Service is running independently of the user logged in.From a security perspective this allows the service to run in spite of the user logged in, and allows the domain admin to create policies around the service account or service group.
I think this was implemented long time agob. A user can be designated with permissions to log onto the AHM server and create new tests without knowing the all powerful service account info - an appropriate delegation of authority in some environments.
http://www.ks-soft.net/hostmon.eng/mfra ... #operators
Regards
Alex