What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general.

Learn more

PRTG Network Monitor

Intuitive to Use. Easy to manage.
More than 500,000 users rely on Paessler PRTG every day. Find out how you can reduce cost, increase QoS and ease planning, as well.

Free Download

Top Tags


View all Tags

AD sync sensor getting Access denied when PRTG monitor user removed from domain admin group

Votes:

0

I tried removing the AD user I am using for PRTG from the Domain Admin group but had the PRTG sensor 'Active Directory Replication Errors to DC' give me a message saying access denied and it failed to successfully check for replication issues. All other sensors continued to work as desired, just this one failed. I tried following the steps from this KB link, but it is still not working correctly. If I add the user back to the AD Domain Admin group, the errors go away. What permission set do I need to get this to work correctly?

https://kb.paessler.com/en/topic/31363-active-directory-replication-access-denied

active-directory ad-sync domain-administrator-group prtg

Created on Oct 16, 2020 8:48:29 PM

Last change on Oct 19, 2020 11:40:36 AM by  Moritz Heller [Paessler Support]



7 Replies

Votes:

0

Hi there,

Please let me know with which access rights your already tried to run the Sensor?

Created on Oct 19, 2020 12:50:41 PM by  Moritz Heller [Paessler Support]



Votes:

0

The AD account I am using for PRTG monitoring, has the following Allow permissions in AD:

  • Read
  • Monitor active directory replication
  • Read domain password & lockout policies
  • Read Other domain parameters

Created on Oct 20, 2020 5:44:24 PM



Votes:

0

Hi there,

Thank you for the update and sorry for the delay, I asked for feedback from our development.

According to our dev, your AD permissions should work. Therefore, pleas run the Sensor manually and check the result. The command should looks like this:

.\ADSReplFailuresXML.exe -u=USER, -p=PASSWORD and -c=HOST -n= (for the replicationneighbour.)

Before you execute the command, please change to the "Sensor System" directory. This is located in the installation directory of the corresponding Probe.

Created on Oct 26, 2020 7:33:37 AM by  Moritz Heller [Paessler Support]



Votes:

0

Hello, I have same problem. Replication sensor works with AD admin account, but not with basic user. Our user have the following Allow permissions for AD root:

  • Read
  • Monitor active directory replication
  • Read domain password & lockout policies
  • Read Other domain parameters

permission are set to domain root, but only for "This object only" Should be permission set for all descendants? Its not specified in https://kb.paessler.com/en/topic/31363-active-directory-replication-access-denied article

This is output from ADSReplFailuresXML.exe:

C:\Program Files (x86)\PRTG Network Monitor\Sensor System>.\ADSReplFailuresXML.exe -u=domain\readeruser -p=password and -c=DC1 -n=DC2
19.1.1.12
get current time of remote computer
Starting WMI Query 'select * from  Win32_UTCTime'
Error getting time of remote pc
Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
get replication data
Starting WMI Query 'select DisableScheduledSync,DoScheduledSyncs,IsDeletedSourceDsa,SourceDsaCN,LastSyncResult,NumConsecutiveSyncFailures,ModifiedNumConsecutiveSyncFailures,TimeOfLastSyncAttempt,TimeOfLastSyncSuccess from MSAD_ReplNeighbor where SourceDsaCN = 'DC2' '
<?xml version="1.0" encoding="utf-8"?><prtg><error>1</error><text>Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))</text></prtg>
Press any key to continue

We use PTRG 21.4.73.1656

Do you have any advice please? Thanks

Created on Jan 11, 2022 4:38:52 PM



Votes:

0

Hi,

In our experience we found out that Domain Admin credentials work best when using WMI or Performance Counters, which is why this is our recommendation because it should ensure the highest chance of the related sensors working directly "out of the box".

Sometimes it helps to put the windows user into the user groups "Performance Log Users" and/or "Performance Monitor Users" but at the end of the day it comes down to the fact, that we don't lay down these permissions for the different performance counters, nor do we know them all by heart. That's two things one would have to ask in Redmond at Microsoft.

This has been an often discussed thread already, so you might consider to check out the feedback of PRTG users and additional hints here:

- https://www.reddit.com/r/prtg/comments/cee7rw/wmi_without_domain_admin/?utm_medium=android_app&utm_source=share

- https://kb.paessler.com/en/topic/83070

- https://kb.paessler.com/en/topic/4213

- https://www.infrasightlabs.com/setting-wmi-access-ad-gpo

- https://serverfault.com/questions/28520/which-permissions-rights-does-a-user-need-to-have-wmi-access-on-remote-machines/44997#44997

For any other questions or difficulties, we're happy to help.

Regards,

Miguel Aikens

Created on Jan 14, 2022 7:53:40 PM by  Miguel Aikens [Paessler Technical Support]



Votes:

0

Hi there I lost a lot of time in troubleshooting because of a similar issue:

"Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))

The cause of the issue in the end was not the permission on Domain level (Domain Admin and Domain user should be enough), it simply was a special caracter in the password. I changed the special caracter in the password and afterwards it worked....

Created on Mar 2, 2022 2:15:52 PM



Votes:

0

Hi,

Thanks for your reply.

Hope this also works for the rest of the affected users. For AD issues we normally request to enabled the core logs in detailed and this way we can see what the error actually is for.

Best regards,

Miguel Aikens

Created on Mar 8, 2022 5:48:54 PM by  Miguel Aikens [Paessler Technical Support]




Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.