browse
Overview
You notice that an AD Connector is showing alert or error state, and the message listed when you hover over the alert include "Access Denied" to one of the registered AD servers.
Explanation
This error usually indicates the OpenDNS_Connector user has insufficient permissions to operate.
The Windows Connector script normally sets the required permissions for the OpenDNS_Connector user. However, in strict AD environments, some administrators may not be permitted to run VB scripts on their Domain Controllers, and thus will need to manually replicate the actions of the Windows Configuration script.
Resolution
Please ensure that the OpenDNS_Connector user is a member of the following AD Groups:
- Event Log Readers
- Distributed COM users
- Enterprise Read-only Domain Controllers
The solution is to make sure DCOM, WMI and Manage Audit and Security Log are setup correctly on the AD server in question.
Note: multiple domains or multiple forests are not supported by default, please refers to Multi-AD Domain Support in Umbrella announcement. It's worth letting umbrella-support@cisco.com know about your configuration if you've run into these issues and we may be able to help.
To verify WMI Permissions:
1. Click Start > Run > wmimgmt.msc (Windows Management Infrastructure Control console)
2. Right-click on WMI Control > click Properties > Security tab
3. Select Root > CIMV2 namespace and click the Security button
4. Add the OpenDNS_Connector user and Allow the following permissions:
Enable Account, Remote Enable and Read Security
To verify DCOM Permissions:
1. From a command line run dcomcnfg
2. Console Root > Component Services > Computers
3. Right-click on My Computer and select Properties.
4. From My Computer Properties select COM Security tab.
5. In "Launch and Activation Permissions" area click "Edit Limits".
6. Add the OpenDNS_Connector user and allow Remote Launch and Remote Activation permissions.
7. Click OK to confirm and close My Computer Properties.

IMPORTANT!
If DCOM changes are made, in most cases a reboot of that DC is required for the changes to take effect.
To verify "Manage Audit and Security Logs" on Windows 2003 servers:
1. On a Domain Controller, open a command prompt and type the following command: "gpresult /scope computer /r" (If you are running Windows 2003, replace /r with /v).
2. Look for the "Applied Group Policy Objects" line. Under it will be a list of policies applied to that Domain Controller. Make note of one that is likely to be applied to all Domain Controllers.
(ie. "Default Domain Controllers Policy"). If none exist, you may need to create one and apply it.To edit the proper policy:
3. Open the Group Policy Management panel (via Start/Administrative Tools). Select the desired policy. Something in the "Domain Controllers" folder is a likely candidate.
4. Right-click that policy and select "Edit" to bring up the Group Policy Management Editor.
5. Browse to the "Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment" folder and select "Manage audit and security log" to view its properties.
6. Check "Define these policy settings", click "Add user or group", browse and select the OpenDNS_Connector user.
7. Run the "gpupdate /force" command on the Domain Controller to make sure the policy is applied.
For the more information about resolving this issue please visit Complete Topics for Access Denied Resolution.
If after confirming/changing the aforementioned settings, you are still seeing "Access Denied" messages in the Dashboard, please send Support the Connector logs as outlined in this article: Provide Support with AD Connector Logs.