7 Replies Latest reply on Jul 7, 2009 1:34 PM by vanyans

    DisableLdapGroupEnumeration is not working on one workstation

    Rookie

       

       

      Hi

       

      I am using LANDesk 8.8 with SP3 (applied to core and all agents, use the same agent on all clients).

      I have enabled DisableLdapGroupEnumeration (done through agent) and I am using AD info in LANDesk queries.

      Info from AD is gathered correctly from all workstations except from one. It is an XP machine with SP2. I added the machine to 2 new groups in AD, ran Inventory (scheduled from core, several times) but the new information about groups was never gathered (only for that one machine).

      I did check the registry on the machine, it is set to 0. I checked the logs (LDISCN32, LDISCN32.EXE.SLMUpdateDeniedFiles). All seems to be correct. Any other logs I should be looking at?

      I ran ldapwhoami on the machine and that gave correct information.

       

      Any suggestion would be appreciated.

       

      Thanks

        • 1. Re: DisableLdapGroupEnumeration is not working on one workstation
          Rookie

          Hi,

           

           

          I ran some additional tests and here is what I found out:

          When I run Inventory scan directly from machine (using start menu shortcut) inventory is collected properly and I see in the Inventory on the core that AH machine is member of required AD groups (Under LDAP Groups i see both Machine and Primary Owner groups).

          When I run Inventory scan from the Core (scheduled task) the information is gone (Under LDAP Groups i see only Primary Owner group).

          The same thing happens no matter how many times I run scans and the info in LDISCN32 is always the same:

          Tue, 30 Jun 2009 12:10:12 Checking if firewall is enabled : ({08A4D443-580F-43C9-B041-8F7AF3F1F96F})
             708 Service is disabled
             708 ERROR: Failed to get the firewall configuration ptr : (80004005)
          Tue, 30 Jun 2009 12:10:12 Failed to init : (80004005)
          Tue, 30 Jun 2009 12:10:14 Checking if firewall is enabled : ({08A4D443-580F-43C9-B041-8F7AF3F1F96F})
             708 Service is disabled
             708 ERROR: Failed to get the firewall configuration ptr : (80004005)
          Tue, 30 Jun 2009 12:10:14 Failed to init : (80004005)
          Tue, 30 Jun 2009 12:10:19 open key Software\Utimaco\SGEasy with flags 0x20019 returns handle 0, status 2
          Tue, 30 Jun 2009 12:23:59 Checking if firewall is enabled : ({08A4D443-580F-43C9-B041-8F7AF3F1F96F})
            3760 Service is disabled
            3760 ERROR: Failed to get the firewall configuration ptr : (80004005)
          Tue, 30 Jun 2009 12:23:59 Failed to init : (80004005)
          Tue, 30 Jun 2009 12:24:00 Checking if firewall is enabled : ({08A4D443-580F-43C9-B041-8F7AF3F1F96F})
            3760 Service is disabled
            3760 ERROR: Failed to get the firewall configuration ptr : (80004005)
          Tue, 30 Jun 2009 12:24:00 Failed to init : (80004005)
          Tue, 30 Jun 2009 12:24:05 open key Software\Utimaco\SGEasy with flags 0x20019 returns handle 0, status 2
          Tue, 30 Jun 2009 12:29:49 Checking if firewall is enabled : ({08A4D443-580F-43C9-B041-8F7AF3F1F96F})
            1844 Service is disabled
            1844 ERROR: Failed to get the firewall configuration ptr : (80004005)
          Tue, 30 Jun 2009 12:29:49 Failed to init : (80004005)
          Tue, 30 Jun 2009 12:29:50 Checking if firewall is enabled : ({08A4D443-580F-43C9-B041-8F7AF3F1F96F})
            1844 Service is disabled
            1844 ERROR: Failed to get the firewall configuration ptr : (80004005)
          Tue, 30 Jun 2009 12:29:50 Failed to init : (80004005)
          Tue, 30 Jun 2009 12:29:55 open key Software\Utimaco\SGEasy with flags 0x20019 returns handle 0, status 2

           

           

           

           

          This happens on only this one machine. I verified that the right agent is installed. Any help as to where I should be looking next is greatly appreciated.

          I am working on a test system right now that has only 5 clients and trying to figure out how everything works before deploying LANDesk.

           

          Thanks

          • 2. Re: DisableLdapGroupEnumeration is not working on one workstation
            Master

            Hi,

             

            Hope you are doing well. Just a few quick questions and things to look at:

             

            1. If you update the dword in the registry to a 1 and run ldapwhoami.exe and perform the same operation with it set to a 0 is the data different?

             

            2. If the data is different with running ldapwhoami.exe manually then perform a debug scan. Add /DEBUG onto the shortcut of Inventory Scan and run the scanner. Once completed look in ldclient\data and open the ldiscn32.log file. Look for "Local Users and Groups" and see if you have multiple groups listed.

             

            Let me know what you find, thanks!

            • 3. Re: DisableLdapGroupEnumeration is not working on one workstation
              Rookie

               

               

              Hi Corrie,

               

              Thanks for the quick reply.

               

              Here's what I did and found out:

               

              1. I ran ldapwhoami.exe with registry set to 0 and 1 and the result was different.

               

              So I continued:

               

              2. I returned registry to 0 and ran ldiscn32 with /DEBUG (shortcut) and here is the log file (relevant part):

              Tue Jun 30 16:42:21 2009: Getting PDA information from registry.
              Tue Jun 30 16:42:21 2009: Getting Dell asset information.
              Tue Jun 30 16:42:21 2009:   Buffering data: Computer Location = LDTest.com/Computers
              Tue Jun 30 16:42:21 2009:   Buffering data: LDAP Location = CN=AH,CN=Computers,DC=LDTest,DC=com
              Tue Jun 30 16:42:21 2009:   Buffering data: LDAP Groups - Machine - (Display Name:RWS) - Name = CN=RWS,OU=LANDesk,DC=LDTest,DC=com
              Tue Jun 30 16:42:21 2009:   Buffering data: LDAP Groups - Machine - (Display Name:VBIP) - Name = CN=VBIP,OU=LANDesk,DC=LDTest,DC=com
              Tue Jun 30 16:42:21 2009:   Buffering data: LDAP Groups - Machine - (Display Name:General) - Name = CN=General,OU=LANDesk,DC=LDTest,DC=com

              Tue Jun 30 16:42:21 2009:   Buffering data: LDAP Groups - Machine - (Display Name:Domain Computers) - Name = CN=Domain Computers,CN=Users,DC=LDTest,DC=com
              Tue Jun 30 16:42:21 2009:   Buffering data: LDAP Groups - Machine - (Display Name:Domain Computers) - Description = All workstations and servers joined to the domain
              Tue Jun 30 16:42:21 2009:   Buffering data: System - OpenManage Support = No
              Tue Jun 30 16:42:21 2009:   Buffering data: System - OpenManage Supported Components = No
              Tue Jun 30 16:42:21 2009:   Buffering data: LANDesk Management - Alert Ruleset Installed - (Installed Ruleset Name:ldms.default) - Installed Ruleset Display Name = LDMS default ruleset
              Tue Jun 30 16:42:21 2009:   Buffering data: LANDesk Management - Alert Ruleset Installed - (Installed Ruleset Name:ldms.default) - Installed Ruleset Date = 1240936845
              Tue Jun 30 16:42:21 2009:   Buffering data: LANDesk Management - Alert Ruleset Installed - (Installed Ruleset Name:ldms.default) - Installed Ruleset Filename = ldms.default.ruleset.xml
              Tue Jun 30 16:42:21 2009:   Buffering data: ThinkVantage Technologies - Power Manager - Active Plan = Always On

              3. Then I ran the scan from the core (registry still set to 0). I've updated inventoryscanner script with the /DEBUG option as well. Here is the log:

              Tue Jun 30 16:48:03 2009: Getting PDA information from registry.
              Tue Jun 30 16:48:03 2009: Getting Dell asset information.
              Tue Jun 30 16:48:03 2009:   Buffering data: Computer Location = LDTest.com/Computers
              Tue Jun 30 16:48:03 2009:   Buffering data: LDAP Location = CN=AH,CN=Computers,DC=LDTest,DC=com
              Tue Jun 30 16:48:03 2009:   Buffering data: System - OpenManage Support = No
              Tue Jun 30 16:48:03 2009:   Buffering data: System - OpenManage Supported Components = No
              Tue Jun 30 16:48:03 2009:   Buffering data: LANDesk Management - Alert Ruleset Installed - (Installed Ruleset Name:ldms.default) - Installed Ruleset Display Name = LDMS default ruleset
              Tue Jun 30 16:48:03 2009:   Buffering data: LANDesk Management - Alert Ruleset Installed - (Installed Ruleset Name:ldms.default) - Installed Ruleset Date = 1240936845
              Tue Jun 30 16:48:03 2009:   Buffering data: LANDesk Management - Alert Ruleset Installed - (Installed Ruleset Name:ldms.default) - Installed Ruleset Filename = ldms.default.ruleset.xml

              4. Then I set the registry to 0 and ran the scan from the machine using shortcut. And got exactly the same log as in previous step:

              Tue Jun 30 16:57:47 2009: Getting PDA information from registry.
              Tue Jun 30 16:57:47 2009: Getting Dell asset information.
              Tue Jun 30 16:57:47 2009:   Buffering data: Computer Location = LDTest.com/Computers
              Tue Jun 30 16:57:47 2009:   Buffering data: LDAP Location = CN=AH,CN=Computers,DC=LDTest,DC=com
              Tue Jun 30 16:57:47 2009:   Buffering data: System - OpenManage Support = No
              Tue Jun 30 16:57:47 2009:   Buffering data: System - OpenManage Supported Components = No
              Tue Jun 30 16:57:47 2009:   Buffering data: LANDesk Management - Alert Ruleset Installed - (Installed Ruleset Name:ldms.default) - Installed Ruleset Display Name = LDMS default ruleset
              Tue Jun 30 16:57:47 2009:   Buffering data: LANDesk Management - Alert Ruleset Installed - (Installed Ruleset Name:ldms.default) - Installed Ruleset Date = 1240936845
              Tue Jun 30 16:57:47 2009:   Buffering data: LANDesk Management - Alert Ruleset Installed - (Installed Ruleset Name:ldms.default) - Installed Ruleset Filename = ldms.default.ruleset.xml

               

              "Local Users and Groups" part of the log seems to be always the same (in all 3 cases). It does have multiple groups listed. It seems correct to me. Let me know if you need me to attach more log info.

               

              Is it possible that server somehow doesn't see registry being set to 0? And if so is there a way to fix it/prevent it?

               

              Thanks a lot.

              • 4. Re: DisableLdapGroupEnumeration is not working on one workstation
                Master

                Two quick questions,

                 

                on the client shortcut you are using to run the scan manually, do you have a /SYNC and /F switch applied?

                 

                and on the core are you just right clicking on the device and choosing inventory scan or are you using a managed script?

                 

                Thanks!

                • 5. Re: DisableLdapGroupEnumeration is not working on one workstation
                  Rookie

                  Hi,

                   

                  On the client I didn't change the original shortcut command except for the /DEBUG option:

                   

                   

                   

                  "C:\Program Files\LANDesk\LDClient\LDISCN32.EXE" /NTT=192.168.63.16:5007 /S=192.168.63.16  /I=HTTP://192.168.63.16/ldlogon/ldappl3.ldz /V /DEBUG

                   

                  On the server one schedule was created using the button "Scedule inventory scan" on "Scheduled Tasks" window.

                  Another schedule was created using the "inventoryscanner" script. I copied the original one and updated the command to corespond the one from the shortcut:

                  REMEXEC1=<qt/>%LDMS_CLIENT_DIR%\LDISCN32.EXE<qt/> /NTT=%server%:5007 /S="%server%" /I=HTTP://%server%/ldlogon/ldappl3.ldz /NOUI /DEBUG

                   

                  I just tried to run inventory scan from the core by right-clicking on the machine and choosing "Inventory Scan". The result is the same. Required LDAP groups did not show-up in the Inventory.

                   

                  Thank you very much.

                  • 6. Re: DisableLdapGroupEnumeration is not working on one workstation
                    Rookie

                    Hi

                     

                    In addition, I tried one more test.

                    I added /F /SYNC to the "inventoryscanner" script and ran it from the core. The result was the same. No requierd LDAP groups were detected.

                     

                    Thanks

                    • 7. Re: DisableLdapGroupEnumeration is not working on one workstation
                      Rookie

                       

                       

                      Hi

                       

                      It seems I've found a solution for the issue.

                      When running netdiag I realized that "Workstation service" is not running. Once the service has started I ran inventory scan and got the desired results.

                      It's been running like this for two days, and I did few scans and all returned good results.

                       

                      Thanks