This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Community FAQ
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

scanning AD users with service account (ongoing issue)

Go to solution
sbrammer1
Engaged Sweeper II

‎08-02-2022 07:01 PM - last edited 4 weeks ago by Community Manager

I have been working with Support on this issue for the last two months, and the last time I have heard from them was on 7/22, so I am trying to see if anybody here in the Forums can also assist because we really need this to work again. The last information I sent to Support (besides asking for updates) was log files from using the testconnection.exe as Support was saying the service account could not reach our DC's with Kerberos. 

Here's the short story: the ADUser table is no longer repopulating after support had me delete all of the users from the table. Currently, lansweeper is only seeing 49 users, where it should be a few thousand users. It was working just fine until a recent security change forced us to have the service account that was used to scan no longer have domain admin rights. We have verified the scanning targets are set up properly and have mapped to the right credential. 

I know it's set up right as it's scanning 49 users but can't figure out why it won't get the rest. Any more suggestions\guidance would be great.

Labels:
1 ACCEPTED SOLUTION
Go to solution
sbrammer1
Engaged Sweeper II

‎08-05-2022 04:08 PM - edited ‎08-05-2022 04:09 PM

Here's the response I received back from LS email support this morning, and once I did their suggestion, and re-scan our User Base, the Local AD user scan started to work again and it picked up the rest of our users. Thanks to both LS Email Support and the Forum Admins for assisting with this issue.

We could see in the Errorlog.txt that connecting to your AD domain and retrieving users and groups is not the problem. So the configuration is correct. However, we did come across an error that is usually thrown when the user that is performing the AD Scan (the Lansweeper Service Account) does not have sufficient access rights on the entire AD domain. 
Assigning permissions to AD users is done in Active Directory Users & Computers:

  • right-click your domain, choose Delegate Control..., Next
  • choose: Add and search for the AD user you use in Lansweeper(the Lansweeper Service Account), Next
  • Delegate the following common tasks: choose Read all user information (see: screenshot) and Read all inetOrgPerson information, Next
  • choose Finish

Please re-assign these permissions and Rescan the AD User/Group Path Scanning Target.

View solution in original post

Preview file
22 KB
11 REPLIES 11
Go to solution
sbrammer1
Engaged Sweeper II
In response to mapotofu

‎08-03-2022 05:24 PM

We add new accounts daily as we are a community college, and those new accounts are not showing up. Those 49 accounts are mostly IT users, few service accounts (but not all), couple staff, and two retirees. 

I took a look at a few of those accounts, and all of them have AdminCount attributes set to 1 in their AD account properties. The rest of the accounts (from what i can tell that aren't syncing to LS don't have that attribute set)

Go to solution
sbrammer1
Engaged Sweeper II

‎08-02-2022 07:16 PM

In addition, we started to use the LS agent for scanning the computers.

New to Lansweeper?

Try Lansweeper For Free

Experience Lansweeper with your own data.
Sign up now for a 14-day free trial.

Try Now