PDA

View Full Version : IA And SK43874



rmmagow
2011-10-24, 14:53
Has anyone used this SK (running IA without Domain Admin) with R75.20 and gotten IA to work? I'm just starting to look at the IA feature and with a real Domain Admin account, yes, I did get userids, machine ids etc but the powers that be do not want me using a domain admin account on the FW. I tried this SK but it isn't working right. I'm more curous to hear if anyone got this sk working with Windows 2008. Any information is highly appreciated.
Thanks

rmmagow
2011-11-15, 17:12
anybody?

mcnallym
2011-11-18, 04:09
Probably doesn't help however was at Check Point yesterday for Lunch and Learn and we discussed this in our group, and everyone in the group seemed to have the same experience (including the Check Point SE) that after seeing the sk article then the end customer decided to just use a Domain Admin account and we are asked to look away so can't see what is being entered for the password.

I suspect that most people on here have had similar experiences when installing the feature.

tnkflx
2012-01-12, 05:42
Has anybody actually got this to work? We have the same issue, the powers that be don't want to give us a Domain Admin account, yet SK43874 does not work and we get the "bad credentials or firewall blocks DCOM traffic;" error via "adlog a dc"...

curley
2012-01-17, 11:37
I have used SK43874 and it worked for me. Granted my AD admin is very good and ran the script and verified that his side was setup properly on all the DC's. The one thing that I noticed was the first domain defaults to using the domain that the smartdashboard machine is a part of. Any other domain needed the username specified as DOMAIN\USERNAME with the correct LDAP LoginDN path when setting up the new LDAP account units. I currently have 3 domains pointing to 11 servers pulling users/machines. I am currently running 75.20.

janto
2012-07-24, 02:56
I have used SK43874 and it worked for me. Granted my AD admin is very good and ran the script and verified that his side was setup properly on all the DC's. The one thing that I noticed was the first domain defaults to using the domain that the smartdashboard machine is a part of. Any other domain needed the username specified as DOMAIN\USERNAME with the correct LDAP LoginDN path when setting up the new LDAP account units. I currently have 3 domains pointing to 11 servers pulling users/machines. I am currently running 75.20.

Hello,

we are trying to use this function with SK43874. It's not working. The User doesn't seem to be able to read the eventlog. Have you configured anything else in your Windows GPO for this?


Sincerely,

Jan

fluke
2012-07-24, 08:37
Hello,

we are trying to use this function with SK43874. It's not working. The User doesn't seem to be able to read the eventlog. Have you configured anything else in your Windows GPO for this?


Sincerely,

Jan

I have done it manually according to SK43874. Are you able to connect using WMI - check again WMI/DCOM permissions and proper firewall ports being open. Check the value of HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\servic es\eventlog\Security\CustomSD. If you are on win2008 or above, you can check also with:

wevtutil gl security
The result must contain a value like this: (A;;0x1;;;SID_of_the_user)

Reboot of the DC is necessary for the changes to take effect.

janto
2012-07-25, 04:24
Thank you.

I will try this and give a feedback here.

Jan

beruqc
2012-12-14, 11:51
I have tried the sk over and it worked for both Win2003 and Win2008 DC. However, the manual instruction for Win2008 looks incomplete. It didn't worked. the sysadmin then tried the powershell script and we were able to collects event logs. It seems that the script does a lot more than the manual instructions.

Martin