This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
→ 🚀What's New? Join Us for the Fall Product Launch! Register Now !
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Lansweeper Community
- Forums
- General Discussions
- scanning AD users with service account (ongoing is...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Register to ask a question, start a topic or share an idea
Join the Community
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎08-02-2022
07:01 PM
- last edited on
‎04-02-2024
10:45 AM
by
Mercedes_O
I have been working with Support on this issue for the last two months, and the last time I have heard from them was on 7/22, so I am trying to see if anybody here in the Forums can also assist because we really need this to work again. The last information I sent to Support (besides asking for updates) was log files from using the testconnection.exe as Support was saying the service account could not reach our DC's with Kerberos.
Here's the short story: the ADUser table is no longer repopulating after support had me delete all of the users from the table. Currently, lansweeper is only seeing 49 users, where it should be a few thousand users. It was working just fine until a recent security change forced us to have the service account that was used to scan no longer have domain admin rights. We have verified the scanning targets are set up properly and have mapped to the right credential.
I know it's set up right as it's scanning 49 users but can't figure out why it won't get the rest. Any more suggestions\guidance would be great.
Solved! Go to Solution.
Labels:
- Labels:
-
General Discussion
-
scanning
1 ACCEPTED SOLUTION
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎08-05-2022 04:08 PM - edited ‎08-05-2022 04:09 PM
Here's the response I received back from LS email support this morning, and once I did their suggestion, and re-scan our User Base, the Local AD user scan started to work again and it picked up the rest of our users. Thanks to both LS Email Support and the Forum Admins for assisting with this issue.
We could see in the Errorlog.txt that connecting to your AD domain and retrieving users and groups is not the problem. So the configuration is correct. However, we did come across an error that is usually thrown when the user that is performing the AD Scan (the Lansweeper Service Account) does not have sufficient access rights on the entire AD domain.
Assigning permissions to AD users is done in Active Directory Users & Computers:
- right-click your domain, choose Delegate Control..., Next
- choose: Add and search for the AD user you use in Lansweeper(the Lansweeper Service Account), Next
- Delegate the following common tasks: choose Read all user information (see: screenshot) and Read all inetOrgPerson information, Next
- choose Finish
Please re-assign these permissions and Rescan the AD User/Group Path Scanning Target.
11 REPLIES 11
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎08-05-2022 04:08 PM - edited ‎08-05-2022 04:09 PM
Here's the response I received back from LS email support this morning, and once I did their suggestion, and re-scan our User Base, the Local AD user scan started to work again and it picked up the rest of our users. Thanks to both LS Email Support and the Forum Admins for assisting with this issue.
We could see in the Errorlog.txt that connecting to your AD domain and retrieving users and groups is not the problem. So the configuration is correct. However, we did come across an error that is usually thrown when the user that is performing the AD Scan (the Lansweeper Service Account) does not have sufficient access rights on the entire AD domain.
Assigning permissions to AD users is done in Active Directory Users & Computers:
- right-click your domain, choose Delegate Control..., Next
- choose: Add and search for the AD user you use in Lansweeper(the Lansweeper Service Account), Next
- Delegate the following common tasks: choose Read all user information (see: screenshot) and Read all inetOrgPerson information, Next
- choose Finish
Please re-assign these permissions and Rescan the AD User/Group Path Scanning Target.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎08-04-2022 03:40 PM
I thought any standard user would be able scan active directory users?
Maybe just check the effective access for your lansweeper service on both a successfully scanned user and a failed user? I think it probably needs at least 'Read all properties' of the user account.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎08-04-2022 03:44 PM - edited ‎08-04-2022 03:46 PM
edit - sorry just read the bit about "service account could not reach our DC's with Kerberos" - suspect my suggestion isn't valid!
Create a new service account?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎08-04-2022 01:26 PM
Hello there!
We are sorry to hear that your issue has not been resolved yet. We have escalated your support case to our senior support engineers for further assistance. We thank you for your patience.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎08-04-2022 03:23 PM
thanks. will wait to hear back. in addition, here's my reference case number if that helps.
scanning AD users with service account [ ref:_00D1tqhAh._5006NKrAeP:ref ]
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎08-04-2022 03:46 PM
We were able to find the support case based on the title of your forum post. But thanks!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎08-02-2022 08:36 PM
Silly question, but is the service account at least a local admin on the computer? We did the same change on our end recently, where we removed the service account from the domain admin group. Instead, we created an AD group, put the service account in it, and gave it local admin rights to our workstations through GPO.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎08-02-2022 08:58 PM
I don't think so. However, we do have a group called Desktop Local Admins and it has local admin rights on the computers via GPO that we could add the service account to.
But the bigger question still remains, why does it sync a few users but not others that are in the same OU?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎08-02-2022 09:59 PM
Hmm, no idea on that either, especially if they are in the same OU too.
Are there any common denominators that those 49 users share with each other, that could possibly give a clue (or vice versa, if there are any commonalities between the few thousand that aren't synced)? If you haven't yet, are you able to test creating a new user account to see if it syncs?
Sorry, was not too helpful here.
New to Lansweeper?
Try Lansweeper For Free
Experience Lansweeper with your own data. Sign up now for a 14-day free trial.
Try Now
Related Content
- Quick Weekly Update: W/C 4th September – 11th September in General Discussions
- Security Incident Report - Lansweeper Cloud in Reports & Analytics
- LAPS fails testing while setting up Scanning creds in General Discussions
- Fall 2023 launch (Ename Launch) in Product Announcements
- Update: HP and IBM warranty scanning in Product Discussions
