cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

scanning AD users with service account (ongoing issue)

sbrammer1
Engaged Sweeper II

I have been working with Support on this issue for the last two months, and the last time I have heard from them was on 7/22, so I am trying to see if anybody here in the Forums can also assist because we really need this to work again. The last information I sent to Support (besides asking for updates) was log files from using the testconnection.exe as Support was saying the service account could not reach our DC's with Kerberos. 

Here's the short story: the ADUser table is no longer repopulating after support had me delete all of the users from the table. Currently, lansweeper is only seeing 49 users, where it should be a few thousand users. It was working just fine until a recent security change forced us to have the service account that was used to scan no longer have domain admin rights. We have verified the scanning targets are set up properly and have mapped to the right credential. 

I know it's set up right as it's scanning 49 users but can't figure out why it won't get the rest. Any more suggestions\guidance would be great.

1 ACCEPTED SOLUTION

sbrammer1
Engaged Sweeper II

Here's the response I received back from LS email support this morning, and once I did their suggestion, and re-scan our User Base, the Local AD user scan started to work again and it picked up the rest of our users. Thanks to both LS Email Support and the Forum Admins for assisting with this issue.

We could see in the Errorlog.txt that connecting to your AD domain and retrieving users and groups is not the problem. So the configuration is correct. However, we did come across an error that is usually thrown when the user that is performing the AD Scan (the Lansweeper Service Account) does not have sufficient access rights on the entire AD domain. 
Assigning permissions to AD users is done in Active Directory Users & Computers:

  • right-click your domain, choose Delegate Control..., Next
  • choose: Add and search for the AD user you use in Lansweeper(the Lansweeper Service Account), Next
  • Delegate the following common tasks: choose Read all user information (see: screenshot) and Read all inetOrgPerson information, Next
  • choose Finish

Please re-assign these permissions and Rescan the AD User/Group Path Scanning Target.

View solution in original post

11 REPLIES 11

sbrammer1
Engaged Sweeper II

Here's the response I received back from LS email support this morning, and once I did their suggestion, and re-scan our User Base, the Local AD user scan started to work again and it picked up the rest of our users. Thanks to both LS Email Support and the Forum Admins for assisting with this issue.

We could see in the Errorlog.txt that connecting to your AD domain and retrieving users and groups is not the problem. So the configuration is correct. However, we did come across an error that is usually thrown when the user that is performing the AD Scan (the Lansweeper Service Account) does not have sufficient access rights on the entire AD domain. 
Assigning permissions to AD users is done in Active Directory Users & Computers:

  • right-click your domain, choose Delegate Control..., Next
  • choose: Add and search for the AD user you use in Lansweeper(the Lansweeper Service Account), Next
  • Delegate the following common tasks: choose Read all user information (see: screenshot) and Read all inetOrgPerson information, Next
  • choose Finish

Please re-assign these permissions and Rescan the AD User/Group Path Scanning Target.

GoodLuck123456
Engaged Sweeper

I thought any standard user would be able scan active directory users?

Maybe just check the effective access for your lansweeper service on both a successfully scanned user and a failed user?  I think it probably needs at least 'Read all properties' of the user account.

edit - sorry just read the bit about "service account could not reach our DC's with Kerberos" - suspect my suggestion isn't valid!

Create a new service account?

Obi_1_Cinobi
Lansweeper Tech Support
Lansweeper Tech Support

Hello there!

We are sorry to hear that your issue has not been resolved yet. We have escalated your support case to our senior support engineers for further assistance. We thank you for your patience.

thanks. will wait to hear back. in addition, here's my reference case number if that helps.

scanning AD users with service account [ ref:_00D1tqhAh._5006NKrAeP:ref ]

Obi_1_Cinobi
Lansweeper Tech Support
Lansweeper Tech Support

We were able to find the support case based on the title of your forum post. But thanks!

mapotofu
Engaged Sweeper

Silly question, but is the service account at least a local admin on the computer? We did the same change on our end recently, where we removed the service account from the domain admin group. Instead, we created an AD group, put the service account in it, and gave it local admin rights to our workstations through GPO.

sbrammer1
Engaged Sweeper II

I don't think so. However, we do have a group called Desktop Local Admins and it has local admin rights on the computers via GPO that we could add the service account to.

But the bigger question still remains, why does it sync a few users but not others that are in the same OU? 

Hmm, no idea on that either, especially if they are in the same OU too.

Are there any common denominators that those 49 users share with each other, that could possibly give a clue (or vice versa, if there are any commonalities between the few thousand that aren't synced)?  If you haven't yet, are you able to test creating a new user account to see if it syncs?

Sorry, was not too helpful here.