AD Query cannot access DC server when AD Query is configured for non-admin user

Support Center > Search Results > SecureKnowledge Details

Technical Level

Solution ID	sk180232
Technical Level
Product	Identity Awareness
Version	R80.20 (EOL), R80.20.x, R80.30 (EOL), R80.40, R81, R81.10, R81.10.x, R81.20
OS	Gaia, Gaia Embedded
Date Created	03-Nov-2022
Last Modified	05-Jan-2023

Symptoms

When AD Query is configured for a user who is not an admin on the Domain Controller (DC), AD Query cannot access the DC.
The DC is a Windows Server 2016 with KB5018411 installed, or Windows Server 2019 with KB5018419 installed.
In Smart Console, an error message shows "At least one DC is disconnected".
On the Security Gateway, output of the command adlog a dc shows: "Disconnected, WMI permission error [ntstatus = 0x80041003]"

Cause

In the October Windows update (KB5018411/ KB5018419), Microsoft made changes to read privileges that affect AD Query from an Identity Awareness Gateway to a DC.

If AD Query is configured for a DC user who is not an admin (see sk93938), AD Query cannot access the DC.

If AD Query is configured for a DC admin, there is no issue. A DC admin can read all Event Logs, including the Internet Explorer logs, after the Windows update.

Solution

Check Point recommends to use Identity Collector instead of AD Query.

For more information about Identity Collector, see:

Identity Awareness Clients Administration Guide > "Identity Collector" section
sk179544 - Identity-Based Access Control and Threat Prevention - Design Guidelines - Identity Collector

For customers who prefer to continue using AD Query, these workarounds are available for Check Point appliances and open servers:

Workaround 1 - Change the Query Type to non-Admin

Important Notes - This workaround is suitable only for environments without forwarded events configured. This workaround is not supported for Quantum Spark SMB appliances.

Follow the relevant procedure to change the query type to non-admin (see sk104900):

For an Identity Awareness Gateway / Cluster

1. In the CLI of the Security Gateway / all Cluster members, run:
  # adlogconfig a
2. Enter 31 - WMI Query Type
3. Enter 3 - Non admin query
4. Enter 33 - Exit and save
5. Run:
  # adlog a control reconf

For a Management Server / Multi-Domain Server with Identity Logging Configured

In the CLI of the Management Server / all relevant Management Domains, run:
# adlogconfig l
Enter 31 - WMI Query Type
Enter 3 - Non admin query
Enter 33 - Exit and save
Run:
# adlog l control reconf

Workaround 2 - Make the DC user an admin

On the DC, add the user that is in the Account Unit object for AD Query to the "Domain Admins" group.

This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.

Give us Feedback

Please rate this document

[1=Worst,5=Best]

Comment
	Submitting rating