Domain administrator service accounts limit access to a particular server/s

We need to adjust these to adjust our service accounts and would like them to be restricted to a particular server and restrict their logon or access. Any
suggestions on how to manage this through Active Directory at an enterprise level? We want to lock down the accounts to specific servers but we can't use local admins for these particular group of accounts.
For the time being I was thinking about using AD to "logon on to" and enter the server names to limit the access but I was didn't know if there was any
better approach to the solution. Any suggestion or any other ways to configure? Caveats?

> For the time being I was thinking about using AD to "logon on to" and
> enter the server names to limit the access but I was didn't know if
> there was any better approach to the solution. Any suggestion or any
> other ways to configure? Caveats?
Funny I wrote a post on user privilege assignment some days ago :)
Unfortunately, it is available in german only, but maybe google/bing can
translate good enough to make sense:
http://evilgpo.blogspot.de/2015/04/wer-bin-ich-und-was-darf-ich.html
Greetings/Grüße,
Martin
Mal ein
gutes Buch über GPOs lesen?
Good or bad GPOs? - my blog…
And if IT bothers me -
coke bottle design refreshment (-:

Similar Messages

Use of domain administration port breaks session access?

WLS 8.1.2;
          We have a third-party app deployed in a pretty basic cluster setup (two managed servers, each on a separate machine). When accessing the main web app, it works fine. If/when we enable the domain-wide administration port (DAP)(after enabling SSL on each server), we can no longer access the application - we get the exception shown below.
          Note - if we shut down one of the two managed servers with DAP enabled, the app works. If we disable DAP and run both managed servers using SSL, the app works.
          What have done wrong?
          tia,
          Rick
          <snip>
          ####<Jun 9, 2005 10:26:49 AM EDT> <Error> <HTTP Session> <OYARSA4> <ep01> <ExecuteThread: '9' for queue: 'weblogic.kernel.Default'> <<WLS Kernel>> <> <BEA-100060> <An unexpected error occurred while retrieving the session for Web application: ServletContext(id=247422,name=eprovision-client,context-path=/eprovision-client).
          java.lang.SecurityException: User <anonymous> does not have access to the administrator port.
               at weblogic.rjvm.BasicOutboundRequest.sendReceive(BasicOutboundRequest.java:108)
               at weblogic.rmi.internal.BasicRemoteRef.invoke(BasicRemoteRef.java:138)
               at weblogic.cluster.replication.ReplicationManager_812_WLStub.create(Unknown Source)
               at weblogic.cluster.replication.ReplicationManager.trySecondary(ReplicationManager.java:1064)
               at weblogic.cluster.replication.ReplicationManager.createSecondary(ReplicationManager.java:997)
               at weblogic.cluster.replication.ReplicationManager.register(ReplicationManager.java:391)
               at weblogic.cluster.replication.ReplicationManager.register(ReplicationManager.java:376)
               at weblogic.cluster.replication.ReplicationManager.register(ReplicationManager.java:370)
               at weblogic.servlet.internal.session.ReplicatedSessionData.<init>(ReplicatedSessionData.java:95)
               at weblogic.servlet.internal.session.ReplicatedSessionContext.getNewSession(ReplicatedSessionContext.java:304)
               at weblogic.servlet.internal.ServletRequestImpl.getNewSession(ServletRequestImpl.java:2472)
               at weblogic.servlet.internal.ServletRequestImpl.getSession(ServletRequestImpl.java:2169)
               at weblogic.servlet.security.internal.SecurityModule$SessionRetrievalAction.run(SecurityModule.java:637)
               at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:317)
               at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:118)
               at weblogic.servlet.security.internal.SecurityModule.getUserSession(SecurityModule.java:612)
               at weblogic.servlet.security.internal.FormSecurityModule.stuffSession(FormSecurityModule.java:404)
               at weblogic.servlet.security.internal.FormSecurityModule.checkUserPerm(FormSecurityModule.java:391)
               at weblogic.servlet.security.internal.SecurityModule.beginCheck(SecurityModule.java:197)
               at weblogic.servlet.security.internal.FormSecurityModule.checkA(FormSecurityModule.java:181)
               at weblogic.servlet.security.internal.ServletSecurityManager.checkAccess(ServletSecurityManager.java:145)
               at weblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppServletContext.java:3539)
               at weblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestImpl.java:2585)
               at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:197)
               at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:170)
          Caused by: java.lang.SecurityException: User <anonymous> does not have access to the administrator port.
               at weblogic.rjvm.RJVMImpl.dispatchRequest(RJVMImpl.java:910)
               at weblogic.rjvm.RJVMImpl.dispatch(RJVMImpl.java:844)
               at weblogic.rjvm.ConnectionManagerServer.handleRJVM(ConnectionManagerServer.java:222)
               at weblogic.rjvm.ConnectionManager.dispatch(ConnectionManager.java:794)
               at weblogic.rjvm.t3.T3JVMConnection.dispatch(T3JVMConnection.java:570)
               at weblogic.socket.SSLFilter.dispatch(SSLFilter.java:281)
               at weblogic.socket.NTSocketMuxer.processSockets(NTSocketMuxer.java:105)
               at weblogic.socket.SocketReaderRequest.execute(SocketReaderRequest.java:32)
          </snip>

An unexpected error occurred while retrieving the session for Web application: logContext.
          Cause might Failed to retrieve the session from persistent store.
          pl. check your configuration
          Prasanna Yalam

WMI Read access to my one service account

Hi
I need to provide my one service account READ access on all windows 7 /servers 2003,2008,2012 in my domain.
I found below article, but this is not for read access..
http://blogs.msdn.com/b/spatdsg/archive/2007/11/21/set-wmi-namespace-security-via-gpo-script.aspx?PageIndex=2#comments
Please help me to achieve it..
Thanks in advance.

Hi Mr.Raj,
Since solving this issue requires WMI scripting skills, I suggest you refer to The Official Scripting Guys Forum to get professional support:
The Official Scripting Guys Forum
http://social.technet.microsoft.com/Forums/scriptcenter/en-US/home?forum=ITCG
Thank you for your understanding and support.
Best Regards,
Amy

Domain user account limit exceeded

My company is running Windows Server 2012 R2 Essentials. I receive the error:
Domain user accounts limit exceeded
Alert details: Windows Server 2012 R2 Essentials supports a maximum of 25 domain users. If you want to upgrade your server to Windows Server 2012 R2 Standard, please follow the steps in resolution.
I am aware that the Domain User limit is set to 25. However, we have created, and have less than 25 active domain user accounts. The rest are 'system' users that are either disabled, or active but not real user accounts, and they became active within the system
themselves; in other words, we have less that 25 real people who have been created an account to use the domain.
Can someone please tell me what they count? 25 user accounts? Or 25 real, active users?
If it is 25 accounts in total, then it is slightly unfair as most of the accounts are therefore already taken before we add a single domain user.
If it is 25 real, active users, why do I receive the error message in the logs?

Hi William Kirkman,
à
The rest are 'system' users that are either disabled, or active but not real user accounts, and they became active within the system themselves.
I’m a little confused with this sentence. Would you please provide some details of system users and let me
understand it clearly? Did you mean some Administrator accounts or any other?
Regarding to how count 25 user accounts, “Any user that appears in the dashboard counts against your total
of 25.” Robert answered in the following thread. Please refer to.
Admin
Account Setup as Part of Wizard Count Against 25 Users?
Hope this helps.
Best regards,
Justin Gu

Service account with DOT

Hi,
Is it possible to make a user account to service account using ktpass if there's a dot in user name e.g. the user account is : sap.bo.
Is it possible?
Thanks

Use the following syntax for the service account:
<DOMAIN>\sap.bo instead of sap.bo(at)SERVER1.COM
the command should look like this:
ktpass -out vinsso.keytab -princ BOBJCentralMS/sap.bo.server1.com(at)SERVER1.COM -mapuser <DOMAIN>\sap.bo -pass password -kvno 255 -ptype KRB5_NT_PRINCIPAL -crypto RC4-HMAC-NT
Replace <DOMAIN> with the name of the Windows AD domain your service account is defined in.
Regards,
Stratos

Peoplsoft and Tidal Master Service Account .

Master 5.3.1-Windows
Peoplesoft Adapter 8.5
We're having issues with running Peoplsoft Jobs in TIDAL . Tidal Master Service runs as a LOCAL SYSTEM and Account has all the rights that specified in the doc. However Peoplesoft doe not see the output path of Peoplesoft Folder .
Does the Tidal Master Service Needs to run as Service Account ???

If the output path for the Peoplesoft Folder is not on the Master server, then the Master service needs to run as a Service Account with access to the output path for the Peoplesoft Folder. When a Windows Service runs as a LOCAL SYSTEM account it can only access the server's resources, UNC folders on other servers are not accessable.

Permissions problem: Public folders/Shared Calendars across domains with Linked accounts

I have a linked mailbox that is accessed by an account in a trusted domain. The account can access e-mail, send e-mail, free-busy search, etc, just fine. However, there seems to be a permissions issue with the public folders and shared calendars.
When trying to access the public folders for which permissions have been assigned to the linked account from the trusted domain account, I get an error, or just can't see the folders. The only way I can view public folders is by setting default permissions
on the folder to 'Read'.
I've found some other threads that reference this problem, and a blog that no longer exists as the solution:
http://social.technet.microsoft.com/Forums/en-US/exchangesvrclientslegacy/thread/5fdf4cd7-3543-4b5d-94cc-317446ddaa46
If anyone has any ideas or the solution that was shown in the above referenced blog, I'd be very grateful!
-shane

Hi,Shane,
I believe you can try James' suggestion in the link
http://social.technet.microsoft.com/Forums/en-US/exchangesvrclientslegacy/thread/6c88569d-e693-46f4-a8fa-e1f9e5b6234e/ to get it solved.
Per the
Detecting and Correcting msExchMasterAccountSid Issues it says,
Active Directory does not enforce simultaneous performance of all these tasks, nor does it enforce removal of the Associated External Account or
msExchMasterAccountSid if an Active Directory account is re-enabled.
Regards,
Sharon
Sharon Shen
TechNet Community Support
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question.

Default ZAM 10 Windows Service Accounts

Hi there,
My customer's security department did a review and noticed some strangely named service accounts in this Windows 2008 member server running just ZAM 10. They would like to get more info on these accounts but we could find none in the documentation.
Here is part of the conversation:
Our security people are questioning some logon accounts used by Novell Zam/ZCM on servers. (See Below). It has proven impossible so far to find definitive info about these accounts possibly due to Google not liking the format of the account name. The account used on the main server is slightly different (.\__z_1_200__). These accounts were created by Zam on install. Any information on them would be greatly appreciated and in particular the rights they require on the server.
There is a strange local admin user set up <server-name>.
The account is called _z_1_80_ . Does anyone know what it is?
It must be created as part of the zcm product that is installed on this server. The server <another-server> also has an account like this and this has zcm installed also.
Also is a screen shot of the services aplet.
cheers,
Kirk

They are created during the install for using in various ZEN Services.
There is nothing special about the accounts other than that they are
local administrators.
The Services using those accounts can be changed to use another local
administrators accounts by using the services control panel.
On 7/21/2010 11:46 AM, kmaule wrote:
>
> Hi there,
>
> My customer's security department did a review and noticed some
> strangely named service accounts in this Windows 2008 member server
> running just ZAM 10. They would like to get more info on these accounts
> but we could find none in the documentation.
>
> Here is part of the conversation:
>> Our security people are questioning some logon accounts used by Novell
>> Zam/ZCM on servers. (See Below). It has proven impossible so far to find
>> definitive info about these accounts possibly due to Google not liking
>> the format of the account name. The account used on the main server is
>> slightly different (.\__z_1_200__). These accounts were created by Zam
>> on install. Any information on them would be greatly appreciated and in
>> particular the rights they require on the server.
>>
>>
>> There is a strange local admin user set up<server-name>.
>> The account is called _z_1_80_ . Does anyone know what it is?
>> It must be created as part of the zcm product that is installed on
>> this server. The server<another-server> also has an account like this
>> and this has zcm installed also.
>
> Also is a screen shot of the services aplet.
>
> cheers,
> Kirk
>
>
> +----------------------------------------------------------------------+
> |Filename: ZAM10WindowsServices.jpg |
> |Download: http://forums.novell.com/attachment....achmentid=4626 |
> +----------------------------------------------------------------------+
>
Craig Wilson - MCNE, MCSE, CCNA
Novell Knowledge Partner
Novell does not officially monitor these forums.
Suggestions/Opinions/Statements made by me are solely my own.
These thoughts may not be shared by either Novell or any rational human.

SCVMM 2008 R2 - "The SQL Server service account does not have permission to access Active Directory Domain Services (AD DS)."

I know this question has been asked before, but never for R2, that I can tell, and the posted fixes aren't working. I have just installed SCVMM 2008 R2 on a Windows Server 2008 R2 server, using a remote SQL 2008 SP1 database. When I attempt to connect to SCVMM, I get the following error:
"The SQL Server service account does not have permission to access Active Directory Domain Services (AD DS).
Ensure that the SQL Server service is running under a domain account or a computer account that has permission to access AD DS. For more information, see "Some applications and APIs require access to authorization information on account objects" in the Microsoft Knowledge Base at http://go.microsoft.com/fwlink/?LinkId=121054.
ID: 2607"
What I've seen online is that this is usually becuase the domain account SCVMM is running as does not have the proper permissions on the SQL database. Here's what I've confirmed:
1) My SCVMM service account is a local admin on the SCVMM server
2) My SCVMM service account is a dbowner on the SCVMM database in SQL
3) My SQL service account is a dbowner on the SCVMM database in SQL
4) My SQL service account is a domain user (even made it a domain admin, just in case, and it still "doesn't have access to AD DS," which is obviously untrue)
5) Neither service account is locked out
Has anyone run in to this? It says in Technet that remote SQL 2008 is supported, as long as the SQL management studio is installed to the SCVMM server, and I installed and patched before I began the SCVMM installation. I just don't know what else to try - I have no errors in event logs, no issues during the installation itself...
Andrew Topp

That answer was very unhelpful fr33m4n. The individual mentions that they've received the error that points to the KB article. I currently receive the same error -- there seems to be no resolution. I've run the Microsoft VBS script to add TAUG to the WAAG
as suggested by 331951, and that made absolutely no difference.
1) My SCVMM service account is a local admin on the SCVMM server
2) My SCVMM service account is a dbowner on the SCVMM database in SQL
3) My SQL service account is a dbowner on the SCVMM database in SQL
4) My SQL service account is a domain user (even made it a domain admin, just in case, and it still
"doesn't have access to AD DS," which is obviously untrue)
The user is also a member of WAAG, the machines have delegated authority to each other. Is there any other solution?

Built-in domain Administrator account not given full access to new Exchange 2013 server

I migrated from Exchange 2010 to 2013 over the weekend. I cannot log into the EAC with my domain administrator account I use to log into all my other servers. I also cannot run the clean-mailboxdatabase cmdlet logged in as this user. I
had no trouble moving mailboxes from the old server to the new server with this account though.
This account is a member of: Domain Admins, Enterprise Admins, Exchange Full Admin, Exchange Organization Admin, Organization Management, Schema Admins, Server Management.
I can log into the EAC with another admin account that has the same memberships as the Administrator account.
I tried giving the account the role of "Databases" as suggested by others to fix the clean-mailboxdatabase issue but that did not work for me either.
The Administrator mailbox has been moved to the new database on the Exchange 2013 server. The Exchange 2010 has been decommissioned and is turned off.

Hi,
Based on my research, to retrieves the mailbox statistics for the disconnected mailboxes for all mailbox databases in the organization, we can try the following command:
Get-MailboxDatabase | Get-MailboxStatistics -Filter 'DisconnectDate -ne $null'
http://technet.microsoft.com/en-us/library/bb124612(v=exchg.150).aspx
Additionally, The Identity parameter specifies the disconnected mailbox in the Exchange database and it can be display name instead of mailbox GUID.
http://technet.microsoft.com/en-us/library/jj863439(v=exchg.150).aspx
Hope it can help you.
Thanks,
Angela Shi
TechNet Community Support

Farm Account cannot access some pages in Central Administration

I am working with a new installation of SharePoint 2013 farm using least-privileged administration. I used a server local admin account to setup SharePoint and to run the Farm setup wizard. During the wizard I used the domain account I had created as the
Farm account. Today I signed in to the Central Admin as the Farm Account (SYSTEM ACCOUNT) and there was a health analyzer problem to correct. "The server farm account should not be used for other services." In the announcement there is a link for
Farm Credential Management. I click the link and the page states "Sorry this site has not been shared with you." I tried to access Security, Configure Service Accounts and got same error. I am able to go to every other link as far as I can tell.
Can anyone share any advice? How can I get around this problem. Thanks for the help.

@Trevor
it is really difficult for me to digest the logs. however i do see these entries that seem to be related:
10/08/2014 14:21:03.22 w3wp.exe (0x4748)
0x4A34
SharePoint Foundation Logging Correlation Data
xmnv Medium
Name=Request (GET:http://SERVERNAME:35278/_admin/FarmCredentialManagement.aspx)
b032c09c-9977-a0ff-fd14-b20e813c2f0b
10/08/2014 14:21:03.22 w3wp.exe (0x4748)
0x4A34
SharePoint Foundation Authentication Authorization
agb9s Medium
Non-OAuth request. IsAuthenticated=True, UserIdentityName=, ClaimsCount=0
b032c09c-9977-a0ff-fd14-b20e813c2f0b
10/08/2014 14:21:03.39 w3wp.exe (0x4748)
0x4A34
SharePoint Foundation Asp Runtime
aj1km High
[Forced due to logging gap, cached @ 10/08/2014 14:21:03.24, Original Level: Verbose] SPRequestModule.PostResolveRequestCacheHandler
b032c09c-9977-a0ff-fd14-b20e813c2f0b
10/08/2014 14:21:03.39 w3wp.exe (0x4748)
0x4A34
SharePoint Foundation Asp Runtime
aj1kn High
[Forced due to logging gap, Original Level: Verbose] SPRequestModule.AcquireRequestStateHandler
b032c09c-9977-a0ff-fd14-b20e813c2f0b
10/08/2014 14:21:03.41 w3wp.exe (0x4748)
0x4A34
SharePoint Foundation Logging Correlation Data
xmnv Medium
Site=/ b032c09c-9977-a0ff-fd14-b20e813c2f0b
10/08/2014 14:21:03.50 w3wp.exe (0x4748)
0x4A34
SharePoint Foundation Database
ahjqp High
[Forced due to logging gap, cached @ 10/08/2014 14:21:03.41, Original Level: Verbose] SQL connection time: 0.0614393625827815 for Data Source=gcdsql1\sql2008r2gcdsp;Initial Catalog=SharePoint_AdminContent_bb44d394-7bd6-47d0-9c95-2348d3fefcfa;Integrated
Security=True;Enlist=False;Pooling=True;Min Pool Size=0;Max Pool Size=100;Connect Timeout=15;Application Name=SharePoint[w3wp][2][SharePoint_AdminContent_bb44d394-7bd6-47d0-9c95-2348d3fefcfa]
b032c09c-9977-a0ff-fd14-b20e813c2f0b
10/08/2014 14:21:03.50 w3wp.exe (0x4748)
0x4A34
SharePoint Foundation General
g3qe High
[Forced due to logging gap, Original Level: Verbose] GetServerRelativeUrlFromUrl(http://SERVERNAME:35278/_admin/FarmCredentialManagement.aspx,True,False)
b032c09c-9977-a0ff-fd14-b20e813c2f0b
10/08/2014 14:21:03.66 w3wp.exe (0x4748)
0x4A34
SharePoint Foundation Database
ahjqp High
[Forced due to logging gap, cached @ 10/08/2014 14:21:03.52, Original Level: Verbose] SQL connection time: 0.0436542839403974 for Data Source=gcdsql1\sql2008r2gcdsp;Initial Catalog=SharePoint_AdminContent_bb44d394-7bd6-47d0-9c95-2348d3fefcfa;Integrated
Security=True;Enlist=False;Pooling=True;Min Pool Size=0;Max Pool Size=100;Connect Timeout=15;Application Name=SharePoint[w3wp][2][SharePoint_AdminContent_bb44d394-7bd6-47d0-9c95-2348d3fefcfa]
b032c09c-9977-a0ff-fd14-b20e813c2f0b
10/08/2014 14:21:03.66 w3wp.exe (0x4748)
0x4A34
SharePoint Foundation Database
8acb High
[Forced due to logging gap, Original Level: VerboseEx] Reverting to process identity
b032c09c-9977-a0ff-fd14-b20e813c2f0b
10/08/2014 14:21:03.72 w3wp.exe (0x4748)
0x4A34
SharePoint Foundation Topology
ahg9p High
[Forced due to logging gap, cached @ 10/08/2014 14:21:03.70, Original Level: Verbose] Completed deserializing the type named {0} and with id {1}.
b032c09c-9977-a0ff-fd14-b20e813c2f0b
10/08/2014 14:21:03.72 w3wp.exe (0x4748)
0x4A34
SharePoint Foundation Topology
umbj High
[Forced due to logging gap, Original Level: Verbose] Deserializing the type named {0} and with id {1}.
b032c09c-9977-a0ff-fd14-b20e813c2f0b
10/08/2014 14:21:04.03 w3wp.exe (0x4748)
0x4A34
SharePoint Foundation Database
ahjqp High
[Forced due to logging gap, cached @ 10/08/2014 14:21:03.75, Original Level: Verbose] SQL connection time: 0.0312586230684327 for Data Source=gcdsql1\sql2008r2gcdsp;Initial Catalog=SharePoint_Config;Integrated Security=True;Enlist=False;Pooling=True;Min
Pool Size=0;Max Pool Size=100;Connect Timeout=15;Application Name=SharePoint[w3wp][2][SharePoint_Config]
b032c09c-9977-a0ff-fd14-b20e813c2f0b
10/08/2014 14:21:04.03 w3wp.exe (0x4748)
0x4A34
SharePoint Foundation Topology
umbj High
[Forced due to logging gap, Original Level: Verbose] Deserializing the type named {0} and with id {1}.
b032c09c-9977-a0ff-fd14-b20e813c2f0b
10/08/2014 14:21:04.09 w3wp.exe (0x4748)
0x4A34
SharePoint Foundation Topology
umbj High
[Forced due to logging gap, cached @ 10/08/2014 14:21:04.05, Original Level: Verbose] Deserializing the type named {0} and with id {1}.
b032c09c-9977-a0ff-fd14-b20e813c2f0b
10/08/2014 14:21:04.09 w3wp.exe (0x4748)
0x4A34
SharePoint Foundation Topology
ahg9p High
[Forced due to logging gap, Original Level: Verbose] Completed deserializing the type named {0} and with id {1}.
b032c09c-9977-a0ff-fd14-b20e813c2f0b
10/08/2014 14:21:04.14 w3wp.exe (0x4748)
0x4A34
Secure Store Service
Secure Store
ajsil Medium
System account names property not set
b032c09c-9977-a0ff-fd14-b20e813c2f0b
10/08/2014 14:21:04.20 w3wp.exe (0x4748)
0x4A34
SharePoint Foundation Topology
ahg9p High
[Forced due to logging gap, cached @ 10/08/2014 14:21:04.19, Original Level: Verbose] Completed deserializing the type named {0} and with id {1}.
b032c09c-9977-a0ff-fd14-b20e813c2f0b
10/08/2014 14:21:04.20 w3wp.exe (0x4748)
0x4A34
SharePoint Foundation Topology
umbj High
[Forced due to logging gap, Original Level: Verbose] Deserializing the type named {0} and with id {1}.
b032c09c-9977-a0ff-fd14-b20e813c2f0b
10/08/2014 14:21:04.59 wsstracing.exe (0x0C54)
0x2A04
SharePoint Foundation Unified Logging Service
adr4q Unexpected
Trace Service encountered an unexpected exception when processing usage event. Detail exception message: Create store file error.. Win32 error code=5.
10/08/2014 14:21:04.59 wsstracing.exe (0x0C54)
0x2A04
SharePoint Foundation Unified Logging Service
adr4q Unexpected
Trace Service encountered an unexpected exception when processing usage event. Detail exception message: Create store file error.. Win32 error code=5.
10/08/2014 14:21:04.59 wsstracing.exe (0x0C54)
0x2A04
SharePoint Foundation Unified Logging Service
adr4q Unexpected
Trace Service encountered an unexpected exception when processing usage event. Detail exception message: Create store file error.. Win32 error code=5.
10/08/2014 14:21:04.59 wsstracing.exe (0x0C54)
0x2A04
SharePoint Foundation Unified Logging Service
adr4q Unexpected
Trace Service encountered an unexpected exception when processing usage event. Detail exception message: Create store file error.. Win32 error code=5.
10/08/2014 14:21:04.59 wsstracing.exe (0x0C54)
0x2A04
SharePoint Foundation Unified Logging Service
adr4q Unexpected
Trace Service encountered an unexpected exception when processing usage event. Detail exception message: Create store file error.. Win32 error code=5.
10/08/2014 14:21:04.78 w3wp.exe (0x4748)
0x4A34
SharePoint Foundation Topology
ahg9p High
[Forced due to logging gap, cached @ 10/08/2014 14:21:04.22, Original Level: Verbose] Completed deserializing the type named {0} and with id {1}.
b032c09c-9977-a0ff-fd14-b20e813c2f0b
10/08/2014 14:21:04.78 w3wp.exe (0x4748)
0x4A34
SharePoint Foundation Topology
umbj High
[Forced due to logging gap, Original Level: Verbose] Deserializing the type named {0} and with id {1}.
b032c09c-9977-a0ff-fd14-b20e813c2f0b
10/08/2014 14:21:05.33 w3wp.exe (0x4748)
0x4A34
SharePoint Foundation Topology
ahg9p High
[Forced due to logging gap, cached @ 10/08/2014 14:21:04.78, Original Level: Verbose] Completed deserializing the type named {0} and with id {1}.
b032c09c-9977-a0ff-fd14-b20e813c2f0b
10/08/2014 14:21:05.33 w3wp.exe (0x4748)
0x4A34
SharePoint Foundation Topology
umbj High
[Forced due to logging gap, Original Level: Verbose] Deserializing the type named {0} and with id {1}.
b032c09c-9977-a0ff-fd14-b20e813c2f0b
10/08/2014 14:21:05.42 w3wp.exe (0x4748)
0x4A34
SharePoint Foundation Database
ahjqp High
[Forced due to logging gap, cached @ 10/08/2014 14:21:05.33, Original Level: Verbose] SQL connection time: 0.0301807395143488 for Data Source=gcdsql1\sql2008r2gcdsp;Initial Catalog=SharePoint_Config;Integrated Security=True;Enlist=False;Pooling=True;Min
Pool Size=0;Max Pool Size=100;Connect Timeout=15;Application Name=SharePoint[w3wp][2][SharePoint_Config]
b032c09c-9977-a0ff-fd14-b20e813c2f0b
10/08/2014 14:21:05.42 w3wp.exe (0x4748)
0x4A34
SharePoint Foundation Topology
umbj High
[Forced due to logging gap, Original Level: Verbose] Deserializing the type named {0} and with id {1}.
b032c09c-9977-a0ff-fd14-b20e813c2f0b
10/08/2014 14:21:05.48 w3wp.exe (0x4748)
0x4A34
SharePoint Foundation Data Source Control
8ofj High
[Forced due to logging gap, cached @ 10/08/2014 14:21:05.47, Original Level: Verbose] Menu::OnLoad() - Was called. ID="{0}"
b032c09c-9977-a0ff-fd14-b20e813c2f0b
10/08/2014 14:21:05.48 w3wp.exe (0x4748)
0x4A34
SharePoint Foundation General
g3qe High
[Forced due to logging gap, Original Level: Verbose] GetServerRelativeUrlFromUrl(http://SERVERNAME:35278/_admin/FarmCredentialManagement.aspx,True,True)
b032c09c-9977-a0ff-fd14-b20e813c2f0b
10/08/2014 14:21:05.62 w3wp.exe (0x4748)
0x4A34
SharePoint Foundation Topology
88b9 High
[Forced due to logging gap, cached @ 10/08/2014 14:21:05.53, Original Level: Verbose] Determining if the current user is a SharePoint Farm Administrator
b032c09c-9977-a0ff-fd14-b20e813c2f0b
10/08/2014 14:21:05.62 w3wp.exe (0x4748)
0x4A34
SharePoint Foundation General
af4yd High
[Forced due to logging gap, Original Level: Verbose] TenantAppEtag record requested but there is no sitesubscription or tenantId for site {0} so we will use the WebApp Id for the cache.
b032c09c-9977-a0ff-fd14-b20e813c2f0b
10/08/2014 14:21:05.64 w3wp.exe (0x4748)
0x4A34
SharePoint Foundation Monitoring
nasq Medium
Entering monitored scope (Render Ribbon.). Parent SharePointForm Control Render
b032c09c-9977-a0ff-fd14-b20e813c2f0b
10/08/2014 14:21:05.65 w3wp.exe (0x4748)
0x4A34
SharePoint Foundation Monitoring
b4ly Medium
Leaving Monitored Scope (Render Ribbon.). Execution Time=3.82864238410596
b032c09c-9977-a0ff-fd14-b20e813c2f0b
10/08/2014 14:21:05.73 w3wp.exe (0x4748)
0x4A34
SharePoint Foundation Web Controls
ajo51 High
[Forced due to logging gap, cached @ 10/08/2014 14:21:05.65, Original Level: Verbose] IEditableSiteMapProvider.IsEditable = False
b032c09c-9977-a0ff-fd14-b20e813c2f0b
10/08/2014 14:21:05.73 w3wp.exe (0x4748)
0x4A34
SharePoint Foundation Asp Runtime
aj1kp High
[Forced due to logging gap, Original Level: Verbose] SPRequestModule.PreSendRequestHeaders
b032c09c-9977-a0ff-fd14-b20e813c2f0b
10/08/2014 14:21:05.73 w3wp.exe (0x4748)
0x4A34
SharePoint Foundation Micro Trace
uls4 Medium
Micro Trace Tags: 0 nasq,8 agb9s,913 ajsil,1502 nasq,3 b4ly
b032c09c-9977-a0ff-fd14-b20e813c2f0b
10/08/2014 14:21:05.73 w3wp.exe (0x4748)
0x4A34
SharePoint Foundation Monitoring
b4ly Medium
Leaving Monitored Scope (Request (GET:http://SERVERNAME:35278/_admin/FarmCredentialManagement.aspx)). Execution Time=2512.85591714956
b032c09c-9977-a0ff-fd14-b20e813c2f0b

Domain Administrator account being locked up by PDC

Hi everyone,
My PDC is locking up my domain administrator (administrateur in french) account.
System event logs :
The SAM database was unable to lockout the account of Administrateur due to a resource error, such as a hard disk write failure (the specific error code is in the error data) . Accounts are locked after a certain number of bad passwords are provided so please
consider resetting the password of the account mentioned above.
Level : Error
Source : Directory-Services-SAM
Event ID : 12294
Computer : Contoso-PDC
User : System
There is absolutely no events in the security events log, not a single "Audit Failure" event for the "administrateur" account.
I tried to change the name of the domain administrator account from "administrateur" to "administrator".
Now there is "Audit failure" events poping up in the security event logs.
Once again the Source Workstation is the PDC. I guess those events are there because it receive credential validation for an account who doesn't exist anymore since it have been renamed in "Administrator".
Here is the detail log :
An account failed to log on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: Administrateur
Account Domain: CONTOSO
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc0000064
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name: CONTOSO-PDC
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
On the PDC i checked :
Services : None of them are started with the "administrateur" account
Network Share : There is no network share ...
Task Scheduler : None of the tasks are launch with the "administrateur" account.
And the logon type (3:network) seem to indicate that the login comes from an other computer but i have nothing to look for, not a single IP.
Any ideas?
ps : Sorry for the probable english mistakes :(

Hi,
Thanks for you answers.
San4wish :
Lockout tool confirm that the domain administrator account is locked on my PDC. I didn't run eventcomb but i though it only helped parsing security event logs which i did "manually". Anyway i'll try eventcomb after this week end.
About the conficker worm : I looked into it and this worm was exploiting a vulnerability in the server service. It have been patched by MS08-067 (KB958644) and this kb isn't available for Windows 2008 R2 and Windwos 2012 so i guess Windows 2008 R2 have
fixed this vulnerabilty.
So i doubt its a conficker type worm.
Also i gave the PDC role to another DC (let's call him DC2) and now DC2 is locking the administrator account so it seems that the computer locking the account is doing it through the network and it's not something executed on the DCs.

SQL Server Service Account - Domain Account - WMI Provider Error - 0x80092004

Hi,
if I try to use an domain account for SQL service start using SQL configuration Manager I receive the error
WMI Provider Error - 0x80092004
in Popup Window and in Eventlog 5 Error Events from Source MSSQLSERVER:
26014:
Unable to load user-specified certificate [Cert Hash(sha1) "BA78B5DBF93CCD7EFA1860C99B0D6141D480199A"]. The server will not accept a connection. You should verify that the certificate is correctly installed. See "Configuring Certificate for
Use by SSL" in Books Online.
17182:
TDSSNIClient initialization failed with error 0x80092004, status code 0x80. Reason: Unable to initialize SSL support. Cannot find object or property. "
17182:
TDSSNIClient initialization failed with error 0x80092004, status code 0x1. Reason: Initialization failed with an infrastructure error. Check for previous errors. Cannot find object or property.
17826:
Could not start the network library because of an internal error in the network library. To determine the cause, review the errors immediately preceding this one in the error log.
17120:
SQL Server could not spawn FRunCommunicationsManager thread. Check the SQL Server error log and the Windows event logs for information about possible related problems.
After I put the account in local administrator group the service starts up.
I want to use the lowest privileges. Do I really need the SQL server service account in local administrator group? How to fix the error?
thanks

Hi baschuel,
It is recommended to run SQL Server service by using the lowest possible user rights and it is supported to use a domain account instead of an account from local Administrators group to configure SQL Server service. According to your error messages, the
issue could be due to that the incorrect certificate is used, or the domain account has no access to the Crypto folder(C:\ProgramData\Microsoft\Crypto). To troubleshoot the issue, you could follow the two solutions below.
1.Import the correct certificate following the steps in the article:
http://windows.microsoft.com/en-hk/windows/import-export-certificates-private-keys#1TC=windows-7
2.Grant the domain account full access to the Crypto folder.
Regards,
Michelle Li
If you have any feedback on our support, please click
here.

ExceptionMessage: 'Access denied. Only machine administrators are allowed to create administration service job definitions of type: Microsoft.TeamFoundation.SharePoint.WebAccess.ApplyWebConfigModificationsJobDefinition

Hi,
I am getting error "Access Denied" when my code tries to get "SPWebService.JobDefinition" with an AppPool account of content site. The same core runs correctly for the AppPool of CentralAdmin site.
Lemme provide some background of the servers
- We have multi-server FARM
- WFE and APP servers are in different domains, there is one-way trust between the domains.
- We have UAC (User Access Control) set as high on each server
- My site is internet site
Lines of Code are following
SPWebServiceservice =
SPWebService.ContentService
varsyncTimerJob =
fromSPJobDefinitionjob
inservice.JobDefinitions
                   wherejob.Name
== "MyJob"
selectjob;
I am running the above code with in SPSecurity.RunWithElevatedPrivileges so the above code is running with APP POOL account. I m getting
the error in the 2nd line where I have a LINQ query. And I m assuming this is because of "service.JobDefinition" line. Can anyone help me?
Detailed Error:
An exception has occurred.   ExceptionType: 'TargetInvocationException'   ExceptionMessage: 'Exception has been thrown by the target of an invocation.'   StackTrace: '
at System.RuntimeMethodHandle.InvokeMethod(Object target, Object[] arguments, Signature sig, Boolean constructor)
at System.Reflection.RuntimeConstructorInfo.Invoke(BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)
at Microsoft.SharePoint.Administration.SPAutoSerializingObject.GetInstanceFromType(Type type, String typename)
at Microsoft.SharePoint.Administration.SPPersistedObject.GetInstance(XmlNode xml, Guid classId, Boolean bResolveMissingTypes)
at Microsoft.SharePoint.Administration.SPFileSystemCache.FetchObjectFromFileSystem(Guid id)
at Microsoft.SharePoint.Administration.SPFileSystemCache.GetValue(Guid id)
at Microsoft.SharePoint.Administration.SPCache`2.get_Item(K key)
at Microsoft.SharePoint.Administration.SPConfigurationDatabase.GetObject(Guid id, Boolean checkInMemoryCache, Boolean checkFileSystemCache)
at Microsoft.SharePoint.Administration.SPConfigurationDatabase.GetObject(Guid id)
at Microsoft.SharePoint.Administration.SPConfigurationDatabase.Microsoft.SharePoint.Administration.ISPPersistedStoreProvider.GetObject(Guid id)
at Microsoft.SharePoint.Administration.SPPersistedObjectCollection`1.get_Item(Guid objId)
at Microsoft.SharePoint.Administration.SPPersistedObjectCollection`1.<GetEnumeratorImpl>d__0.MoveNext()
at System.Linq.Enumerable.WhereEnumerableIterator`1.MoveNext()
at System.Linq.Enumerable.Count[TSource](IEnumerable`1 source)
at Project1.SharePoint.Common.UtilityHelper.IsSyncSchedulingDisabled(StringBuilder logMessage)'   Source: 'mscorlib'   TargetSite: 'System.Object InvokeMethod(System.Object, System.Object[], System.Signature, Boolean)'   ------------------------------------------------------------
Inner exception:   ------------------------------------------------------------    ExceptionType: 'SecurityException'    ExceptionMessage: 'Access denied. Only machine administrators are allowed to create administration
service job definitions of type: Microsoft.TeamFoundation.SharePoint.WebAccess.ApplyWebConfigModificationsJobDefinition, Microsoft.TeamFoundation.SharePoint.WebAccess, Version=11.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a.'    StackTrace:
at Microsoft.SharePoint.Administration.SPAdministrationServiceJobDefinition..ctor(String name, SPService service, SPServer server, SPJobLockType lockType)
at Microsoft.TeamFoundation.SharePoint.WebAccess.ApplyWebConfigModificationsJobDefinition..ctor()'    Source: 'Microsoft.SharePoint'    TargetSite: 'Void .ctor(System.String, Microsoft.SharePoint.Administration.SPService, Microsoft.SharePoint.Administration.SPServer,
Microsoft.SharePoint.Administration.SPJobLockType)'
Any help will be appreciated.

The bottom of your stack trace begs to differ:
at Microsoft.TeamFoundation.SharePoint.WebAccess.ApplyWebConfigModificationsJobDefinition..ctor()'
Source: 'Microsoft.SharePoint'    TargetSite: 'Void .ctor(System.String, Microsoft.SharePoint.Administration.SPService, Microsoft.SharePoint.Administration.SPServer, Microsoft.SharePoint.Administration.SPJobLockType)'
Scott Brickey
MCTS, MCPD, MCITP
www.sbrickey.com
Strategic Data Systems - for all your SharePoint needs

Group Managed Service Accounts Error Message access denied

Hi I am playing around with group managed service accounts in my lab using a 2012 R2 DC on a 2012 r2 forest and domain Level .Net 3.5 installed.
I am following this tutorial
http://blogs.technet.com/b/askpfeplat/archive/2012/12/17/windows-server-2012-group-managed-service-accounts.aspx
1. I installed the keys
2. I waited for 10 hours
3. I created the GMSA
4. I tried to install the GMSA on the DC logged in as the Domain admin under a administrative powershell prompt
5. I got the nasty error: access denied message.

the powershell statement could be wrong...
-PrincipalsAllowedToRetrieveManagedPassword

Domain administrator service accounts limit access to a particular server/s

Similar Messages

Maybe you are looking for