I tried removing the AD user I am using for PRTG from the Domain Admin group but had the PRTG sensor 'Active Directory Replication Errors to DC' give me a message saying access denied and it failed to successfully check for replication issues. All other sensors continued to work as desired, just this one failed. I tried following the steps from this KB link, but it is still not working correctly. If I add the user back to the AD Domain Admin group, the errors go away. What permission set do I need to get this to work correctly?

https://helpdesk.paessler.com/en/support/solutions/articles/7600006359163-active-directory-replication-access-denied

Article Comments

Hi there,

Please let me know with which access rights your already tried to run the Sensor?


Oct, 2020 - Permalink

The AD account I am using for PRTG monitoring, has the following Allow permissions in AD:

  • Read
  • Monitor active directory replication
  • Read domain password & lockout policies
  • Read Other domain parameters

Oct, 2020 - Permalink

Hi there,

Thank you for the update and sorry for the delay, I asked for feedback from our development.

According to our dev, your AD permissions should work. Therefore, pleas run the Sensor manually and check the result. The command should looks like this:

.\ADSReplFailuresXML.exe -u=USER, -p=PASSWORD and -c=HOST -n= (for the replicationneighbour.)

Before you execute the command, please change to the "Sensor System" directory. This is located in the installation directory of the corresponding Probe.


Oct, 2020 - Permalink

Hello, I have same problem. Replication sensor works with AD admin account, but not with basic user. Our user have the following Allow permissions for AD root:

  • Read
  • Monitor active directory replication
  • Read domain password & lockout policies
  • Read Other domain parameters

permission are set to domain root, but only for "This object only" Should be permission set for all descendants? Its not specified in https://helpdesk.paessler.com/en/support/solutions/articles/7600006359163-active-directory-replication-access-denied article

This is output from ADSReplFailuresXML.exe:

C:\Program Files (x86)\PRTG Network Monitor\Sensor System>.\ADSReplFailuresXML.exe -u=domain\readeruser -p=password and -c=DC1 -n=DC2
19.1.1.12
get current time of remote computer
Starting WMI Query 'select * from  Win32_UTCTime'
Error getting time of remote pc
Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
get replication data
Starting WMI Query 'select DisableScheduledSync,DoScheduledSyncs,IsDeletedSourceDsa,SourceDsaCN,LastSyncResult,NumConsecutiveSyncFailures,ModifiedNumConsecutiveSyncFailures,TimeOfLastSyncAttempt,TimeOfLastSyncSuccess from MSAD_ReplNeighbor where SourceDsaCN = 'DC2' '
<?xml version="1.0" encoding="utf-8"?><prtg><error>1</error><text>Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))</text></prtg>
Press any key to continue

We use PTRG 21.4.73.1656

Do you have any advice please? Thanks


Jan, 2022 - Permalink

Hi,

In our experience we found out that Domain Admin credentials work best when using WMI or Performance Counters, which is why this is our recommendation because it should ensure the highest chance of the related sensors working directly "out of the box".

Sometimes it helps to put the windows user into the user groups "Performance Log Users" and/or "Performance Monitor Users" but at the end of the day it comes down to the fact, that we don't lay down these permissions for the different performance counters, nor do we know them all by heart. That's two things one would have to ask in Redmond at Microsoft.

This has been an often discussed thread already, so you might consider to check out the feedback of PRTG users and additional hints here:

- https://www.reddit.com/r/prtg/comments/cee7rw/wmi_without_domain_admin/?utm_medium=android_app&utm_source=share

- https://helpdesk.paessler.com/en/support/solutions/articles/83070

- https://helpdesk.paessler.com/en/support/solutions/articles/76000063511213

- https://www.infrasightlabs.com/setting-wmi-access-ad-gpo

- https://serverfault.com/questions/28520/which-permissions-rights-does-a-user-need-to-have-wmi-access-on-remote-machines/44997#44997

For any other questions or difficulties, we're happy to help.

Regards,

Miguel Aikens


Jan, 2022 - Permalink

Hi there I lost a lot of time in troubleshooting because of a similar issue:

"Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))

The cause of the issue in the end was not the permission on Domain level (Domain Admin and Domain user should be enough), it simply was a special caracter in the password. I changed the special caracter in the password and afterwards it worked....


Mar, 2022 - Permalink

Hi,

Thanks for your reply.

Hope this also works for the rest of the affected users. For AD issues we normally request to enabled the core logs in detailed and this way we can see what the error actually is for.

Best regards,

Miguel Aikens


Mar, 2022 - Permalink