Support Center > Search Results > SecureKnowledge Details
AD Query cannot access DC server when AD Query is configured for non-admin user Technical Level
Symptoms
  • When AD Query is configured for a user who is not an admin on the Domain Controller (DC), AD Query cannot access the DC.
  • The DC is a Windows Server 2016 with KB5018411 installed, or Windows Server 2019 with KB5018419 installed.
  • In Smart Console, an error message shows "At least one DC is disconnected".
  • On the Security Gateway, output of the command adlog a dc shows: "Disconnected, WMI permission error [ntstatus = 0x80041003]"
Cause
In the October Windows update (KB5018411/ KB5018419), Microsoft made changes to read privileges that affect AD Query from an Identity Awareness Gateway to a DC.

If AD Query is configured for a DC user who is not an admin (see sk93938), AD Query cannot access the DC.

If AD Query is configured for a DC admin, there is no issue. A DC admin can read all Event Logs, including the Internet Explorer logs, after the Windows update.


Solution
Check Point recommends to use Identity Collector instead of AD Query.

For more information about Identity Collector, see:
For customers who prefer to continue using AD Query, these workarounds are available for Check Point appliances and open servers:

Workaround 1 - Change the Query Type to non-Admin

Important Notes - This workaround is suitable only for environments without forwarded events configured. This workaround is not supported for Quantum Spark SMB appliances.

Follow the relevant procedure to change the query type to non-admin (see sk104900):

For an Identity Awareness Gateway / Cluster
    1. In the CLI of the Security Gateway / all Cluster members, run: 
      # adlogconfig a
    2. Enter 31 - WMI Query Type
    3. Enter 3 - Non admin query
    4. Enter 33 - Exit and save
    5. Run:
      # adlog a control reconf
For a Management Server / Multi-Domain Server with Identity Logging Configured
  1. In the CLI of the Management Server / all relevant Management Domains, run:
    # adlogconfig l
  2. Enter 31 - WMI Query Type
  3. Enter 3 - Non admin query
  4. Enter 33 - Exit and save
  5. Run:
    # adlog l control reconf

Workaround 2 - Make the DC user an admin

On the DC, add the user that is in the Account Unit object for AD Query to the "Domain Admins" group.

This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment