Changes to Identity Module mechanism for AD domain controllers and move to WMI queries

  • 1
  • Article
  • Updated 10 months ago
  • (Edited)

We are replacing the current mechanism of querying the Active Directory event log (currently rpcclient) with Windows Management Instrumentation (WMI) to improve performance and reliability.

This guide describes the steps that are required to switch your Active Directory settings, move to WMI queries on LANGuardian and is also useful when troubleshooting any problems.

We assume you are already logging user logon events on your domain controllers.

Upgrade to LANGuardian 14.2.4

It does require having at least LANGuardian v14.2.4 to have this feature available. You can upgrade your system at the following link: https://x.x.x.x/sysadm/update.cgi
Edit the IP x.x.x.x and replace with the LANGuardian management interface IP.

Change the AD configuration to use WMI instead of RPC queries

You just need to edit each DC in LANGuardian and choose the 'Windows Management Instrumentation' as the query type.


How to Enable remote WMI execution

In LANGuardian, go to Settings -> Modules -> Identity -> Active
Directory and check your Username and Domain Controller (Name or IP
Address) used for querying your Domain’s Active Directory.

Note: You need to RDP or use the local console on any domain controllers that LANGuardian has issues connecting to. Once logged onto the domain controller, you need to run wmimgmt.msc command. 



1. Add the LANGuardian AD user to CIMV2 permission on each domain controller

In WMI Management window, right click on the WMI Control sub menu and select Properties. Under Security Tab select CIMV2 and click on the Security button in the bottom right corner. 

Find or add a user specified under Active Directory settings in LANGuardian and verify that Enable Account, Remote Enable and Read Security is Allowed, if not, enable those permissions and apply your settings.

2. Add this AD account to the “Performance Log User” group so that it can query via WMI.

3. Add this AD account to the “Event Log Readers” group so that it can read the event logs.

Setting up network access

In addition to setting up the AD account, network access is also needed in order for WMI to work. Specifically, the client (LANGuardian system) must be able to connect to the server (domain controller) on port 135 and on any port in the range 49154-60000 (the actual port is assigned by the server and communicated to the client).

See https://support.microsoft.com/en-us/help/832017/service-overview-and-network-port-requirements-for-windows (RPC randomly allocated high TCP ports).

So, if a firewall is present between LANGuardian and the server, it must allow these connections.

The default port range can be changed, see
https://support.microsoft.com/en-us/help/154596/how-to-configure-rpc-dynamic-port-allocation-to-work-with-firewalls

LANGuardian should now be able to query Active Directory information on this server. 


Test Configuration

If you do need to test WMI integration you can use the native Windows tool called WBEMTEST from your desktop

  1. Click on run and type in wbemtest on a Windows 7 or 10 system
  2. Click on connect and type in \\x.x.x.x\root\cimv2 into the namespace field
  3. Use the LANGuardian AD account with password and click on connect
  4. If the account has permissions to connect via WMI you should not see any error messages

If the steps above fail add the LANGuardian user account to the domain group Performance Log Users and try running the test again. If this fails then try the test using the Administrator account to see if the server is blocking all remote WMI connections.

Optionally click on Query and type in SELECT * FROM Win32_NTLogEvent WHERE Logfile = 'Security' AND EventCode = '4624'. The above command verifies that the account can run a query.
Photo of Aisling Brennan

Aisling Brennan, Official Rep

  • 386 Posts
  • 8 Reply Likes

Posted 10 months ago

  • 1

Be the first to post a reply!