Re: [ActiveDir] permon access
Performance Logs and Alerts was running under Local system. I gave Read access to that reg key to a local group and put the user running the monitoring into that group. He gets that error when trying to start a counter log. So I created an account to run Performance logs and Alerts service on the user's local box and gave it "log on as a service" rights on the servers to be monitored and now it works. I'm not sure if this is the best or right way to go about it. Thanks On 2/13/06, Coleman, Hunter <[EMAIL PROTECTED]> wrote: What account is the Performance Logs and Alerts running under, and what account did you give permissions to on the remote server's registry keys? From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom KernSent: Monday, February 13, 2006 2:59 PM To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] permon access That works except when the user tries to create a counter log. The log doesn't start and when an attempt is made to start it, the user gets an event id 2046. The soultion here- http://eventid.net/display.asp?eventid=2046&eventno=2556&source=SysmonLog&phase=1 says to allow the Performance Logs and Alerts service on the local box to use an account that has the "logon as service" right on the remote server. Is this my only solution? Thanks On 2/13/06, Coleman, Hunter <[EMAIL PROTECTED]> wrote: http://support.microsoft.com/?kbid=300702 if you have 2k3 members From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom KernSent: Monday, February 13, 2006 9:04 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] permon access Sorry, member servers. remotely. Thanks On 2/13/06, Tom Kern <[EMAIL PROTECTED] > wrote: Thank you very much!! Thats exactly what I was looking for... On 2/13/06, Olivarez, Sergio J Mr ANOSC/FCBS < [EMAIL PROTECTED]> wrote: Yeah sorry bout that! I realized that after I had already sent it. Check out the links below maybe they will help! http://www.windowsitpro.com/WindowsSecurity/Article/ArticleID/16529/16529.html http://support.microsoft.com/default.aspx?scid=kb;en-us;164018 Thanks... ... ... ... Sergio J. Olivarez - Contractor GD-NS From: Tom Kern [mailto: [EMAIL PROTECTED]] Sent: Monday, February 13, 2006 8:36 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] permon access Thats why i stated I was on a windows 2000 Forest. That group is only available on Wink23 dc's. Thanks On 2/13/06, Olivarez, Sergio J Mr ANOSC/FCBS < [EMAIL PROTECTED]> wrote: How about utilizing the "Performance Monitor Users" built-in security group! Thanks... ... ... ... Sergio J. Olivarez - Contractor GD-NS From: Tom Kern [mailto: [EMAIL PROTECTED]] Sent: Monday, February 13, 2006 8:14 AM To: activedirectorySubject: [ActiveDir] permon access In windows 2000 Forest, what are the bare minium rights needed for a user to run perfmon? I'd like to delegate this to someone without making them a local admin on the box. Is this possible? I can't seem to find a gpo adm template that allows this for win2k. Thanks
RE: [ActiveDir] permon access
What account is the Performance Logs and Alerts running under, and what account did you give permissions to on the remote server's registry keys? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom KernSent: Monday, February 13, 2006 2:59 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] permon access That works except when the user tries to create a counter log. The log doesn't start and when an attempt is made to start it, the user gets an event id 2046. The soultion here- http://eventid.net/display.asp?eventid=2046&eventno=2556&source=SysmonLog&phase=1 says to allow the Performance Logs and Alerts service on the local box to use an account that has the "logon as service" right on the remote server. Is this my only solution? Thanks On 2/13/06, Coleman, Hunter <[EMAIL PROTECTED]> wrote: http://support.microsoft.com/?kbid=300702 if you have 2k3 members From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom KernSent: Monday, February 13, 2006 9:04 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] permon access Sorry, member servers. remotely. Thanks On 2/13/06, Tom Kern <[EMAIL PROTECTED] > wrote: Thank you very much!! Thats exactly what I was looking for... On 2/13/06, Olivarez, Sergio J Mr ANOSC/FCBS < [EMAIL PROTECTED]> wrote: Yeah sorry bout that! I realized that after I had already sent it. Check out the links below maybe they will help! http://www.windowsitpro.com/WindowsSecurity/Article/ArticleID/16529/16529.html http://support.microsoft.com/default.aspx?scid=kb;en-us;164018 Thanks... ... ... ... Sergio J. Olivarez - Contractor GD-NS From: Tom Kern [mailto: [EMAIL PROTECTED]] Sent: Monday, February 13, 2006 8:36 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] permon access Thats why i stated I was on a windows 2000 Forest. That group is only available on Wink23 dc's. Thanks On 2/13/06, Olivarez, Sergio J Mr ANOSC/FCBS < [EMAIL PROTECTED]> wrote: How about utilizing the "Performance Monitor Users" built-in security group! Thanks... ... ... ... Sergio J. Olivarez - Contractor GD-NS From: Tom Kern [mailto: [EMAIL PROTECTED]] Sent: Monday, February 13, 2006 8:14 AMTo: activedirectorySubject: [ActiveDir] permon access In windows 2000 Forest, what are the bare minium rights needed for a user to run perfmon? I'd like to delegate this to someone without making them a local admin on the box. Is this possible? I can't seem to find a gpo adm template that allows this for win2k. Thanks
Re: [ActiveDir] permon access
That works except when the user tries to create a counter log. The log doesn't start and when an attempt is made to start it, the user gets an event id 2046. The soultion here- http://eventid.net/display.asp?eventid=2046&eventno=2556&source=SysmonLog&phase=1 says to allow the Performance Logs and Alerts service on the local box to use an account that has the "logon as service" right on the remote server. Is this my only solution? Thanks On 2/13/06, Coleman, Hunter <[EMAIL PROTECTED]> wrote: http://support.microsoft.com/?kbid=300702 if you have 2k3 members From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom KernSent: Monday, February 13, 2006 9:04 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] permon access Sorry, member servers. remotely. Thanks On 2/13/06, Tom Kern <[EMAIL PROTECTED] > wrote: Thank you very much!! Thats exactly what I was looking for... On 2/13/06, Olivarez, Sergio J Mr ANOSC/FCBS < [EMAIL PROTECTED]> wrote: Yeah sorry bout that! I realized that after I had already sent it. Check out the links below maybe they will help! http://www.windowsitpro.com/WindowsSecurity/Article/ArticleID/16529/16529.html http://support.microsoft.com/default.aspx?scid=kb;en-us;164018 Thanks... ... ... ... Sergio J. Olivarez - Contractor GD-NS From: Tom Kern [mailto: [EMAIL PROTECTED]] Sent: Monday, February 13, 2006 8:36 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] permon access Thats why i stated I was on a windows 2000 Forest. That group is only available on Wink23 dc's. Thanks On 2/13/06, Olivarez, Sergio J Mr ANOSC/FCBS < [EMAIL PROTECTED]> wrote: How about utilizing the "Performance Monitor Users" built-in security group! Thanks... ... ... ... Sergio J. Olivarez - Contractor GD-NS From: Tom Kern [mailto: [EMAIL PROTECTED]] Sent: Monday, February 13, 2006 8:14 AM To: activedirectorySubject: [ActiveDir] permon access In windows 2000 Forest, what are the bare minium rights needed for a user to run perfmon? I'd like to delegate this to someone without making them a local admin on the box. Is this possible? I can't seem to find a gpo adm template that allows this for win2k. Thanks
RE: [ActiveDir] permon access
Wow, I wrote that "article" a long long long long long time ago. I am surprised they still have it available. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Olivarez, Sergio J Mr ANOSC/FCBSSent: Monday, February 13, 2006 10:52 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] permon access Yeah sorry bout that! I realized that after I had already sent it. Check out the links below maybe they will help! http://www.windowsitpro.com/WindowsSecurity/Article/ArticleID/16529/16529.html http://support.microsoft.com/default.aspx?scid=kb;en-us;164018 Thanks... ... ... ... Sergio J. Olivarez - Contractor GD-NS From: Tom Kern [mailto:[EMAIL PROTECTED] Sent: Monday, February 13, 2006 8:36 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] permon access Thats why i stated I was on a windows 2000 Forest. That group is only available on Wink23 dc's. Thanks On 2/13/06, Olivarez, Sergio J Mr ANOSC/FCBS <[EMAIL PROTECTED]> wrote: How about utilizing the "Performance Monitor Users" built-in security group! Thanks... ... ... ... Sergio J. Olivarez - Contractor GD-NS From: Tom Kern [mailto: [EMAIL PROTECTED]] Sent: Monday, February 13, 2006 8:14 AMTo: activedirectorySubject: [ActiveDir] permon access In windows 2000 Forest, what are the bare minium rights needed for a user to run perfmon? I'd like to delegate this to someone without making them a local admin on the box. Is this possible? I can't seem to find a gpo adm template that allows this for win2k. Thanks
RE: [ActiveDir] permon access
http://support.microsoft.com/?kbid=300702 if you have 2k3 members From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom KernSent: Monday, February 13, 2006 9:04 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] permon access Sorry, member servers. remotely. Thanks On 2/13/06, Tom Kern <[EMAIL PROTECTED]> wrote: Thank you very much!! Thats exactly what I was looking for... On 2/13/06, Olivarez, Sergio J Mr ANOSC/FCBS < [EMAIL PROTECTED]> wrote: Yeah sorry bout that! I realized that after I had already sent it. Check out the links below maybe they will help! http://www.windowsitpro.com/WindowsSecurity/Article/ArticleID/16529/16529.html http://support.microsoft.com/default.aspx?scid=kb;en-us;164018 Thanks... ... ... ... Sergio J. Olivarez - Contractor GD-NS From: Tom Kern [mailto: [EMAIL PROTECTED]] Sent: Monday, February 13, 2006 8:36 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] permon access Thats why i stated I was on a windows 2000 Forest. That group is only available on Wink23 dc's. Thanks On 2/13/06, Olivarez, Sergio J Mr ANOSC/FCBS < [EMAIL PROTECTED]> wrote: How about utilizing the "Performance Monitor Users" built-in security group! Thanks... ... ... ... Sergio J. Olivarez - Contractor GD-NS From: Tom Kern [mailto: [EMAIL PROTECTED]] Sent: Monday, February 13, 2006 8:14 AMTo: activedirectorySubject: [ActiveDir] permon access In windows 2000 Forest, what are the bare minium rights needed for a user to run perfmon? I'd like to delegate this to someone without making them a local admin on the box. Is this possible? I can't seem to find a gpo adm template that allows this for win2k. Thanks
Re: [ActiveDir] permon access
Sorry, member servers. remotely. Thanks On 2/13/06, Tom Kern <[EMAIL PROTECTED]> wrote: Thank you very much!! Thats exactly what I was looking for... On 2/13/06, Olivarez, Sergio J Mr ANOSC/FCBS < [EMAIL PROTECTED]> wrote: Yeah sorry bout that! I realized that after I had already sent it. Check out the links below maybe they will help! http://www.windowsitpro.com/WindowsSecurity/Article/ArticleID/16529/16529.html http://support.microsoft.com/default.aspx?scid=kb;en-us;164018 Thanks... ... ... ... Sergio J. Olivarez - Contractor GD-NS From: Tom Kern [mailto: [EMAIL PROTECTED]] Sent: Monday, February 13, 2006 8:36 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] permon access Thats why i stated I was on a windows 2000 Forest. That group is only available on Wink23 dc's. Thanks On 2/13/06, Olivarez, Sergio J Mr ANOSC/FCBS < [EMAIL PROTECTED]> wrote: How about utilizing the "Performance Monitor Users" built-in security group! Thanks... ... ... ... Sergio J. Olivarez - Contractor GD-NS From: Tom Kern [mailto: [EMAIL PROTECTED]] Sent: Monday, February 13, 2006 8:14 AM To: activedirectorySubject: [ActiveDir] permon access In windows 2000 Forest, what are the bare minium rights needed for a user to run perfmon? I'd like to delegate this to someone without making them a local admin on the box. Is this possible? I can't seem to find a gpo adm template that allows this for win2k. Thanks
Re: [ActiveDir] permon access
Thank you very much!! Thats exactly what I was looking for... On 2/13/06, Olivarez, Sergio J Mr ANOSC/FCBS <[EMAIL PROTECTED]> wrote: Yeah sorry bout that! I realized that after I had already sent it. Check out the links below maybe they will help! http://www.windowsitpro.com/WindowsSecurity/Article/ArticleID/16529/16529.html http://support.microsoft.com/default.aspx?scid=kb;en-us;164018 Thanks... ... ... ... Sergio J. Olivarez - Contractor GD-NS From: Tom Kern [mailto: [EMAIL PROTECTED]] Sent: Monday, February 13, 2006 8:36 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] permon access Thats why i stated I was on a windows 2000 Forest. That group is only available on Wink23 dc's. Thanks On 2/13/06, Olivarez, Sergio J Mr ANOSC/FCBS < [EMAIL PROTECTED]> wrote: How about utilizing the "Performance Monitor Users" built-in security group! Thanks... ... ... ... Sergio J. Olivarez - Contractor GD-NS From: Tom Kern [mailto: [EMAIL PROTECTED]] Sent: Monday, February 13, 2006 8:14 AM To: activedirectorySubject: [ActiveDir] permon access In windows 2000 Forest, what are the bare minium rights needed for a user to run perfmon? I'd like to delegate this to someone without making them a local admin on the box. Is this possible? I can't seem to find a gpo adm template that allows this for win2k. Thanks
RE: [ActiveDir] permon access
Are you wanting them to run perfmon against your domain controllers, or against member servers/workstations? Locally, or remotely? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom KernSent: Monday, February 13, 2006 8:14 AMTo: activedirectorySubject: [ActiveDir] permon access In windows 2000 Forest, what are the bare minium rights needed for a user to run perfmon? I'd like to delegate this to someone without making them a local admin on the box. Is this possible? I can't seem to find a gpo adm template that allows this for win2k. Thanks
RE: [ActiveDir] permon access
Yeah sorry bout that! I realized that after I had already sent it. Check out the links below maybe they will help! http://www.windowsitpro.com/WindowsSecurity/Article/ArticleID/16529/16529.html http://support.microsoft.com/default.aspx?scid=kb;en-us;164018 Thanks... ... ... ... Sergio J. Olivarez - Contractor GD-NS From: Tom Kern [mailto:[EMAIL PROTECTED] Sent: Monday, February 13, 2006 8:36 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] permon access Thats why i stated I was on a windows 2000 Forest. That group is only available on Wink23 dc's. Thanks On 2/13/06, Olivarez, Sergio J Mr ANOSC/FCBS <[EMAIL PROTECTED]> wrote: How about utilizing the "Performance Monitor Users" built-in security group! Thanks... ... ... ... Sergio J. Olivarez - Contractor GD-NS From: Tom Kern [mailto: [EMAIL PROTECTED]] Sent: Monday, February 13, 2006 8:14 AM To: activedirectory Subject: [ActiveDir] permon access In windows 2000 Forest, what are the bare minium rights needed for a user to run perfmon? I'd like to delegate this to someone without making them a local admin on the box. Is this possible? I can't seem to find a gpo adm template that allows this for win2k. Thanks
Re: [ActiveDir] permon access
Thats why i stated I was on a windows 2000 Forest. That group is only available on Wink23 dc's. Thanks On 2/13/06, Olivarez, Sergio J Mr ANOSC/FCBS <[EMAIL PROTECTED]> wrote: How about utilizing the "Performance Monitor Users" built-in security group! Thanks... ... ... ... Sergio J. Olivarez - Contractor GD-NS From: Tom Kern [mailto: [EMAIL PROTECTED]] Sent: Monday, February 13, 2006 8:14 AM To: activedirectorySubject: [ActiveDir] permon access In windows 2000 Forest, what are the bare minium rights needed for a user to run perfmon? I'd like to delegate this to someone without making them a local admin on the box. Is this possible? I can't seem to find a gpo adm template that allows this for win2k. Thanks
RE: [ActiveDir] permon access
How about utilizing the “Performance Monitor Users” built-in security group! Thanks... ... ... ... Sergio J. Olivarez - Contractor GD-NS From: Tom Kern [mailto:[EMAIL PROTECTED] Sent: Monday, February 13, 2006 8:14 AM To: activedirectory Subject: [ActiveDir] permon access In windows 2000 Forest, what are the bare minium rights needed for a user to run perfmon? I'd like to delegate this to someone without making them a local admin on the box. Is this possible? I can't seem to find a gpo adm template that allows this for win2k. Thanks