No Security Logging in Windows 2008R2

HI All!!!
My Company's Server 2008 R2 can not update the security log in the event viewer, after i clear the security log, it only has one information about the "Log clear" but still got nothing. I just Undo all the GPO setting but still no luck!! After that i go
to
Windows\System32\winevt\Logs and discovered the security.evtx only has 64kb, another event log file is working fine except security log. Any one got this problem before?? or any suggestion about that! Thanks a lot!!!

HI!!
Thanks for your help!! i just add the NTFS Permmission
Local Service and Network
Service to the Logs Folder, but can not restart the eventlog service, becasue some programs was related with this service. I will try tonight, and let you know how's going after i restart! THANKS A LOT!!!!
Johnson

Similar Messages

Unable to receive an email by task scheduler on audit failure in windows server 2008 r2 security log

Deal All,
I am sorry in advance if i would be on wrong forum, i have created a task on Server 2008 r2 Domain controller that when an audit failure event triggered in windows security log then an email should reach on my email ID, but unfortunately, nothing happen
on audit failure.i receive no email from task scheduler.
kindly suggest me to resolve the issue. I have created Email task on event ID 4771.
Thanks.
Zeeshan Ibrahim Network Administrator

Hi Zeeshan,
I have found a hotfix against the same error messages, though it applies to Windows Vista and Windows Server 2008, I am not sure if it will work on your machine.
Please refer to this KB article below:
Duplicate triggers are generated incorrectly in scheduled tasks in Windows Vista or in Windows Server 2008
http://support.microsoft.com/kb/2617046
Please feel free to let us know if this hotfix couldn’t help you fix this issue.
Best Regards,
Amy Wang

Tracking oracle database activities in security/system logs of windows server

Can database activity like create or drop tables and packages be tracked in the security/system logs of windows 2003 server for the oracle database 10.2.0.4?
Can purging of oracle log, n case the file has become big or even tempered be tracked in the security/system logs of windows 2003 server for the oracle database 10.2.0.4?
dhomya

Hi Dhomya,
I am not familiar with Oracle database, though you may try to enable file system auditing:
Audit object access
https://technet.microsoft.com/en-us/library/cc776774(v=ws.10).aspx
Apply or modify auditing policy settings for an object using Group Policy
https://technet.microsoft.com/en-us/library/cc757864(v=ws.10).aspx
Best Regards,
Amy
Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

Windows 2008 member server, repeating event 4625 in the security log

Hello,
   I'm having an issue with a member server on our 2008 domain, security log is filling up with event 4625, here are the details:
Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          4/23/2014 2:04:42 PM
Event ID:      4625
Task Category: Logon
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      my.member.server
Description:
An account failed to log on.
Subject:
Security ID:  NULL SID
Account Name:  -
Account Domain:  -
Logon ID:  0x0
Logon Type:   3
Account For Which Logon Failed:
Security ID:  NULL SID
Account Name:
Account Domain:
Failure Information:
Failure Reason:  Unknown user name or bad password.
Status:   0xc000006d
Sub Status:  0xc000006a
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.0.0.115
Source Port:  51366
Detailed Authentication Information:
Logon Process:  Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length:  0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
    <EventID>4625</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>12544</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8010000000000000</Keywords>
    <TimeCreated SystemTime="2014-04-23T18:04:42.197Z" />
    <EventRecordID>99893119</EventRecordID>
    <Correlation />
    <Execution ProcessID="744" ThreadID="844" />
    <Channel>Security</Channel>
    <Computer>KLINEWEB.kline.local</Computer>
    <Security />
</System>
<EventData>
    <Data Name="SubjectUserSid">S-1-0-0</Data>
    <Data Name="SubjectUserName">-</Data>
    <Data Name="SubjectDomainName">-</Data>
    <Data Name="SubjectLogonId">0x0</Data>
    <Data Name="TargetUserSid">S-1-0-0</Data>
    <Data Name="TargetUserName">
    </Data>
    <Data Name="TargetDomainName">
    </Data>
    <Data Name="Status">0xc000006d</Data>
    <Data Name="FailureReason">%%2313</Data>
    <Data Name="SubStatus">0xc000006a</Data>
    <Data Name="LogonType">3</Data>
    <Data Name="LogonProcessName">Kerberos</Data>
    <Data Name="AuthenticationPackageName">Kerberos</Data>
    <Data Name="WorkstationName">-</Data>
    <Data Name="TransmittedServices">-</Data>
    <Data Name="LmPackageName">-</Data>
    <Data Name="KeyLength">0</Data>
    <Data Name="ProcessId">0x0</Data>
    <Data Name="ProcessName">-</Data>
    <Data Name="IpAddress">10.0.0.115</Data>
    <Data Name="IpPort">51366</Data>
</EventData>
</Event>
The IP address that appears in source network address all belong to VPN clients. And it looks like its only happening with 4-5 IPs, all of which are VPN clients. These clients shouldn't be connecting to anything on this server, which is why its puzzling.
Our DC is Windows 2008 and the VPN server is another member server on the domain. I suspect the issue is at the client PCs since there are many other VPN clients connected that don't generate the event ID.
Can anyone tell what the issue might be?
Thanks.

Hi Rayminette,
There are multiple login sources that could possibly be generating the errors:
FTP logins - check your FTP log to see if login failures are showing up at the same time.
Logins via Basic Authentication over http or https (simple, but possibly dangerous, way to password-protect a web site).
ASP scripts.
This logon type 8 indicates a network logon like logon type 3 but where the password was sent over the network in the clear text. Windows server doesn’t allow connection to shared file or printers with clear text authentication. The only situation
I’m aware of are logons from within an ASP script using the ADVAPI or when a user logs on to IIS using IIS’s basic authentication mode. In both cases the logon process in the event’s description will list advapi. Basic authentication is only dangerous
if it isn’t wrapped inside an SSL session (i.e. https). As far as logons generated by an ASP, script remember that embedding passwords in source code is a bad practice for maintenance purposes as well as the risk that someone malicious will view the source
code and thereby gain the password.
Reference from:
What is the source of thousands of 4625 Logon Failure errors with Logon Type 8 (NetworkCleartext)?
I hope this helps.

What caused the Windows 2008R2 Security event discarded

Dear Support team,
I have a windows 2008 R2 server, The security events didn't recorded from last year.
1. The maximum log size set to 100 MB, But the log file is 300 MB. The retention was set to "archive the log when full,do not overwrite events".
2. Below last entry security log show the registry key that i modified at that time. After i modify the registry value all of the security event were discarded
A registry value was modified.
Subject:
Security ID: domain\userid
Account Name: userid
Account Domain: domain
Logon ID: 0x2c202074
Object:
Object Name: \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\eventlog\Security
Object Value Name: Retention
Handle ID: 0x100
Operation Type: Existing registry value modified
Process Information:
Process ID: 0x129c
Process Name: C:\Windows\regedit.exe
Change Information:
Old Value Type: REG_DWORD
Old Value: 0
New Value Type: REG_DWORD
New Value: 4294967295
3. As i know,The Windows Event Log supersedes the Event Logging API beginning with the Windows Vista operating system. Here is the KB link: http://msdn.microsoft.com/en-us/library/windows/desktop/aa385780(v=vs.85).aspx?ppud=4
And the registry key which i modified at the before ( \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\eventlog\Security\retention ) Seems only apply to Event logging for Windows 2003 and prior system.
Here is the KB link: http://msdn.microsoft.com/en-us/library/windows/desktop/aa363648(v=vs.85).aspx
May i know what is the reason cause security event discarded ?
Does the retention setting at Registry still working at windows 2008?
Thanks very mush.
Randy

The new methods are via GPO described here.
http://technet.microsoft.com/en-us/library/cc722385(v=WS.10).aspx
http://blogs.technet.com/b/askds/archive/2008/08/12/event-logging-policy-settings-in-windows-server-2008-and-vista.aspx
Regards, Dave Patrick ....
Microsoft Certified Professional
Microsoft MVP [Windows]
Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

Excessive Logging in Windows Security Logs

Hi,
We are running a Windows Server 2012 server as a file server. We have 'Audit object access' turned-on in the Local Security Policy. We have a file share that is enabled for auditing. We are receiving numerous Event ID 5145, 5156, and 5456
in the Security event log. Often as many as 20 entries a second, and as a result our Security log is getting too large.

Hi,
You can unselect some useless auditing entry, such as “Traverse folder / execute file”, or limited the maximum size of the log.
The related article:
Auditing File Access on File Servers
https://blogs.technet.com/b/mspfe/archive/2013/08/27/auditing-file-access-on-file-servers.aspx
Hope this helps.
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place.

Windows AD Security Logs

Dear All,
We set our security log size to 190 MB but due to large number of events. Log can only cover 1 day events.
Is there a recommended size not compromising performance and can capture let say > 3 days of events.

Hi Jhunbanz,
You can increase the maximum log size or can change the overwrite setting by following below step :
Start --> Run --> EVENTVWR.MSC --> Right click Security log, go to Properties. Then, you can increase the Maximum log size. Though, you have
not mentioned about your windows server, so if you have windows server 2008 installed, you can choose “Achieve the log when full, do not overwrite events”.
If Windows Server 2003 is installed, you can choose “Overwrite events older that X days”.

System and security logs

1. Login, Clear Logs and log off events in Windows 2003 when does this happen and what are the IDs for
these events ? what is the system login?
2. In an event when administrator account and password are shared by more than one person, is it is possible
to prove who cleared the security logs?
3. If there is no keyboard monitoring is there a way to prove from which PC the delete came from?
4. Can a schedule a task be run in advance to delete the security logs at a later point of time in Window
2003 using utilities like WMI, powershell etc?
5. In Windows 2003 servers, Microsoft allows 2 remote connections and 1 console session also called session
0. What is session 0 ans when is this launched?
6. Can security and the system logs on the server be deleted remotely from any other server in
windows 2003 if the account has admin rights? Please comment if firewall setting needs to be enabled in window 2003.
dhomya

1.) If you enable auditing here are the events
https://technet.microsoft.com/en-us/library/cc787567%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396
2.) Probably not unless you know who was at what console at what time.
3/4.)
http://blogs.msdn.com/b/ericfitz/archive/2007/08/10/help-someone-has-deleted-events-from-my-windows-event-log.aspx
5.) http://support.microsoft.com/kb/278845
6.) See 3/4
Regards, Dave Patrick ....
Microsoft Certified Professional
Microsoft MVP [Windows]
Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

How to Delete Non-System State Backups in Windows 2008R2

Hello,
I am running a Windows 2008R2 server which uses Windows Server Backup to do the backups. We are using the backup-tool to create non-system state backups of the data-directories on this machine. The backup is done on a dedicated disk connected through iscsi
(to a Synology box). This backup disk has become too small and we have now replaced the Synology box with a bigger one. Here i created a new LUN again for the backup purposes.
Now for my question; The wbadmin.exe tool supplied with W2008R2 does not offer a way to delete the old backups. I know that in Win2012 (which we we also have running) I could add the new iscsi location and then (when enough backups are available on the new
target) use wbadmin.exe delete backup to delete the old non-system state backups; e.g.
wbadmin delete backup -version:08/07/2013-21:00
This (very undocumented) feature of Windows 2012 and higher works quite nice and is exactly what i am searching for on the W2008R2 machine; a way to delete the old backups (and under the hood delete the corresponding snapshots)
I've done quite a bit of research and it should be possible to do something similar in 2008 but then manually, The howto is described in the following link: http://blogs.technet.com/b/filecab/archive/2009/06/22/backup-version-and-space-management-in-windows-server-backup.aspx .
Basically it describes that you should use DiskShadow.exe to remove e.g. the oldest snapshot with a command like :
Delete shadows OLDEST \\?\Volume{7fc1871b-2e1f-11dd-a339-001e4fb7af35}
Windows Server backup (wbadmin) should then on the next run 'see' this deletion and update its list of available backups:
"You can perform the same steps manually to delete backups on demand. However, the backup catalog update cannot be done manually and it will happen instead during
the next backup."
I've done this on our box and it indeed removes the shadows from the list. However, in the Windows Backup 'dashboard' it still lists the backups as available. Also after a new backup has finished (according the the article this is when it should 'update'
its backup catalog). When I try to restore a backup from a date that i just removed it gives a nice message that this is impossible because the snapshot is not available (duh :)) ;
Unable to browse Local disk. The shadow copy of the backup stored on the backup destination cannot be found.
So it seems that the aforementioned method works; it removes the snapshot and frees diskspace, but it doesn't update the Windows Backup catalog. As a result the management tool (GUI) still lists the backups which are no longer available! How can i change
this? Is there any way to do this? I found one article which mentions that the Dashboard bases its screen on the Windows Logs and not on the actual VSS snapshots available:
http://forum.wegotserved.com/index.php/topic/23757-start-afresh-with-server-backup/ (WHS) In my situation however this seems unlikely because i don't have any logs that date back as far as my backups go.
In my opinion this is a real bug and it leaves us with a in-consequent backup schema. Does anyone have similar situations or even a solution to my problem?
Kind Regard, Martin

Hi Mandy,
Yes! I think i got my answer and I now get how windows backup works in Windows 2008 :-) It turns out that I dismissed some suggestions a bit too soon. The answer lies in the command mentioned earlier :
Wbadmin delete catalog
This command does delete all the backups from a perspective of the Windows Backup UI, but leaves the VSS snapshots intact. This means that the backups are still available, but you just can't restore them with the User Interface. In order to 'update' the
UI with the current available snapshots (which you can list with diskshadows list shadows all), you have to re-add the existing media on which the backups took place using the Wizard of the UI. It will then inform you that existing backups are available and
if you want to keep these for restore purposes. If you click 'yes', and THEN perform a backup ... All the current available backups will be shown in the User Interface :-)
So for my steps taken to change from one iscsi (iscsi1) to another (iscsi2):
- Add the 2nd iscsi target with the Windows Backup UI
using Backup schedule , Modify backup -> [desired options] => Add more backup destinations -> iscsi2
- Remove the 1st iscsi target with the Windows Backup UI
using Backup schedule , Modify backup -> [desired options] => Remove current backup destinations -> iscsi1
- Run some backups on the new destination. Old restore points are now still available. When enough restore points are available on the new volume iscsi2 start deleting old data from iscsi1 as follows:
- Run diskshadow
diskshadow
- list all the current snapshots
list shadows all
- remove all the snapshots of iscsi1 (repeat until all shadows are gone of iscsi1)
delete shadows oldest \\?\volume{yourvolumeid}\
- delete the windows backup catalog
wbadmin delete catalog
- Restart the windows backup UI and re-add your schedule on the new volume iscsi2. It will now ask if you want the keep the existing data for restore purposes; click yes.
- After the next backup only the backups of volume iscsi2 will be listed and everything is fine !
I Hope my post will help others with similar questions. It was quite a search before I understood the way it works. Basically as long as your VSS snapshots are still available and listed by diskshadow you still have the backups and you will be able to get
this in sync with the steps above (delete schedule and re-add originating targets containing the snapshots). After the next backup the UI will update itself.
(In my case someway along the way I lost my originating snapshots, but because I already had my new backup set it didn't bother me; It kept me from having to delete all 510 old backups :) with diskshadow)
Regard, Martin

Get current logged in Windows user name

Hi
Is it possible to retrieve the current logged in Windows user name into a text field automatically?
Thank you in advance for the help.

Hi,
This is a security issue and you will need a javascript file in the Acrobat folder. This will contain a trusted function allowing access to the login name.
Here is a thread that looked at this:
http://forums.adobe.com/message/2198084#2198084
However read to the end, because if you are Reader Enabling the form (at least through Acrobat) then you may run into problems.
Good luck,
Niall

WBEMTEST doesn't give Security logs

Hi,
I did a WMI test and queried to see the security logs. Nothing found. I see only Application and System logs. No security logs were found.
I used the below query.
select * from win32_ntlogevent
Thanks in advance.
Rajiv,
Technical Support Engineer.

On Windows Server 10 TP, I don't see the same behavior you describe...
Get-WmiObject -Query 'select * from win32_ntlogevent' | group -Property LogFile -NoElement
Count Name
1140 Security
    1 System
   24 Windows PowerShell
Hope this helps, Martin

SSRS 2012 SP2 - Windows 2008R2 - Microsoft.ReportingServices.ReportProcessing.RenderingObjectModelException: A generic error occurred in GDI+

Hi,
I have built new SQL 2012 SSRS SP2 with Windows 2008R2 and BAR reports are not showing (just "x" mark in the left corner).
Following is the log file information. I have gone through other forums and all are with windows 8 or windows 2012. Your help is much appreciated.
library!ReportServer_0-15!d7c!08/13/2014-10:52:17:: i INFO: RenderForNewSession('/ProductionReporting/PlantProduction')
reportrendering!ReportServer_0-15!d7c!08/13/2014-10:52:18:: e ERROR: Throwing Microsoft.ReportingServices.ReportProcessing.RenderingObjectModelException: , Microsoft.ReportingServices.ReportProcessing.RenderingObjectModelException: A generic error occurred
in GDI+. ---> System.Runtime.InteropServices.ExternalException: A generic error occurred in GDI+.
   at System.Drawing.Image.Save(Stream stream, ImageCodecInfo encoder, EncoderParameters encoderParams)
   at Microsoft.Reporting.Chart.WebForms.Chart.Save(Stream imageStream, ChartImageFormat format)
   at Microsoft.ReportingServices.OnDemandReportRendering.ChartMapper.GetImage(ImageType imageType)
   --- End of inner exception stack trace ---;
Thanks,
Vel
Vel Thavasi

Hi Vel,
According to the error message, the issue is related to GDI+. Based on my research, it is a known issue that the GDI+ need to be updated on Windows Server 2008 R2. If we want to know what version of GDI+, we can do a file search for Gdiplus.dll.
To fix this issue, please install the hotfix for your Windows Server 2008 R2 from the following kb:
http://support.microsoft.com/kb/2495074
There following thread about the similar issue is for your reference:
http://social.msdn.microsoft.com/Forums/sqlserver/en-US/50c071db-b4fc-4a2e-a9f4-e10e833c97d2/report-not-rendering-charts-in-pdf-a-generic-error-occurred-in-gdi?forum=sqlreportingservices
If there are any other questions, please let me know freely.
Regards,
Katherine Xiong
Katherine Xiong
TechNet Community Support

Is this a security bug in Windows 8.1?

I think I have discovered a serious security bug in Windows 8.1.
Today I was using my (non-Admin) user account and with Internet Explorer I saved a file in the default Downloads folder (under This PC). The file was saved, but when I went to that folder, the file was not there! Now, I was about to downloaded
it again, using IE, same as before, when I noticed in the Save dialog box that the file had indeed been downloaded, and that it was there, in the Downloads folder under This PC. Frustrated, I went to that very folder, but the file was nowhere
to be found. I was really puzzled.
Then, by chance, while logged in another account (namely the Admin account), I happened to go to the Downloads folder, and there was the file that I had downloaded using the other account.
Obviously, what I described above represents a security problem: firstly because my private files may get saved by mistake into another person's account without me even realizing it, and secondly because I was able to access another person account
(i.e. the Admin account) via the IE's Save dialog box, seeing the list of the files there, and possibly even accessing them (I have not tried the latter, though).
Has anyone experienced anything like the situation I described?
I must also say that I later tried to replicate this abnormal behavior, but for some unknown reason I couldn't. Anyway, I am sure that what I described above is an accurate account of how things went.

Hi,
Since I cannot repro your issue on my own computer, it cannot be a bug.
I suggest we try to use another user account to see if there is the same issue happened.
Please make sure your location of download folder is right:
Right click Downloads folder, and choose Properties.
Make sure the location is right under your user profile.
If not, please click Location and click Restore default.
If we still fail to solve you issue, please run Process monitor at the end of the downloading process to capture the actions, and upload the save log here for further research.
You can also check if there is any weird actions at the end of downloading process.
Process Monitor v3.05
http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx
How to use, please refer to this article:
Using Process Monitor to capture system events
http://www.sophos.com/en-us/support/knowledgebase/119038.aspx
Keep post.
Kate Li
TechNet Community Support

SMB connection to Windows 2008R2 File Server Problem

Hello, I recently migrated a file server from Windows 2003 to Windows 2008R2. Since the migration, I can no longer use our Canon multi-function printer to scan documents to a network share on the new file server. The share has Everyone, System
and Authenticated Users set to Full control and the NTFS Security is setup for Everyone to modify. The connection from the Canon uses SMB using a domain account called jdoe.
I wondering if the problem is related the the LAN Manger authentication level settings. On the new file server and domain controllers it's set to Network security: LAN Manager authentication level is set to Send NTLMv2 response only\refuse LM &
NTLM. I have setup a network capture and hope somebody can help me out with determinging the problem.
Here is the detals of the Error

It does seem possible that the NTLMv2 authentication level might be affecting things. So I would give it a try. It's difficult to troubleshoot from the image, but I beleive there is a flag in the negotiate response that might give you a clue.
In either case, I think your question would be better served by our networking group, rather than the group that makes the tool. While we have some general protocol knowledge, we don't have the depth that the experts for each component would have.
If changing that setting doesn't work we can move this thread over to the right place.
Thanks,
Paul

Cannot access CIFS shares from Windows 2008R2 on NSS3000

Hi,
I am trying to upgrade our 2008 domain to 2008R2 but with that last version we cannot access to cifs shares on the NSS3000. Access from all other clients are OK. It was 100% OK under 2008...
Whether I use the IP or the FQDN, I got an error from Windows 2008R2. From IP, I got "No process is on the other end of pipe." and from network Gui, I got "Windows cannot access \\nas0026CB647BC6. Check the spelling of the name...blabla. Details : Error Code : 0x80070035, The network path was not found".
On the NAS, I got this errors in the cifs logs :
Feb 24 14:12:45 NAS0026cb647bc6 winbindd[28457]: rpc_api_pipe: Remote machine WIN2008-PDC.bluemoon.holywell.leics pipe \NETLOGON fnum 0x4002returned critical error. Error was NT_STATUS_PIPE_DISCONNECTED
Feb 24 14:12:45 NAS0026cb647bc6 winbindd[28457]: [2011/02/24 14:12:45, 0] rpc_client/cli_pipe.c:rpc_api_pipe(790)
Feb 24 14:12:45 NAS0026cb647bc6 winbindd[28457]: rpc_api_pipe: Remote machine WIN2008-PDC.bluemoon.holywell.leics pipe \NETLOGON fnum 0x4002returned critical error. Error was NT_STATUS_PIPE_DISCONNECTED
Feb 24 14:12:45 NAS0026cb647bc6 winbindd[28457]: [2011/02/24 14:12:45, 0] rpc_client/cli_pipe.c:rpc_api_pipe(790)
Feb 24 14:12:45 NAS0026cb647bc6 winbindd[28457]: rpc_api_pipe: Remote machine WIN2008-PDC.bluemoon.holywell.leics pipe \NETLOGON fnum 0x4002returned critical error. Error was NT_STATUS_PIPE_DISCONNECTED
Feb 24 14:12:45 NAS0026cb647bc6 winbindd[28457]: [2011/02/24 14:12:45, 0] rpc_client/cli_pipe.c:rpc_api_pipe(790)
Feb 24 14:12:45 NAS0026cb647bc6 winbindd[28457]: rpc_api_pipe: Remote machine WIN2008-PDC.bluemoon.holywell.leics pipe \NETLOGON fnum 0x4002returned critical error. Error was NT_STATUS_PIPE_DISCONNECTED
Feb 24 14:12:45 NAS0026cb647bc6 winbindd[28457]: [2011/02/24 14:12:45, 0] rpc_client/cli_pipe.c:rpc_api_pipe(790)
Feb 24 14:12:45 NAS0026cb647bc6 winbindd[28457]: rpc_api_pipe: Remote machine WIN2008-PDC.bluemoon.holywell.leics pipe \NETLOGON fnum 0x4002returned critical error. Error was NT_STATUS_PIPE_DISCONNECTED
Feb 24 14:12:48 NAS0026cb647bc6 winbindd[28457]: [2011/02/24 14:12:48, 0] rpc_client/cli_pipe.c:rpc_api_pipe(790)
It is likely to be an incompatibility between Windows 2008R2 smbv2 and the NSS3000 smbd but I can't find any firmware update and I can't find the process to allow in the registry.
I can ping it, I can connect on the web interface, I can connect on FTP but no CIFS at all.
Firmware version running is 1.20.1. Hardware rev : V03.
Any idea?

Hi SpaceBass, have you looked into sharepoints or into Netinfo manager. I have been playing around with sharepoints and it does let me enter non local users into the sharing prefs- albeit manually. Only thing is , depending on the number of macs you have, it could be a long and tedious job entering it all by hand. Netinfo may have an easier way, I'll do some more digging and post back.
Cheers.

No Security Logging in Windows 2008R2

Similar Messages

Maybe you are looking for