Troubleshoot the #1 most asked questions about
auditing
with the troubleshooter in the Quick Start Guide|
Auditing Topics | Admin Console Topics | Report, Export, Searches Topics | Add-on Topics |
|
Troubleshoot the #1 most asked questions about
auditing
with the troubleshooter in the Quick Start Guide |
Q: How do I troubleshoot automated auditing?The best troubleshooter is in the Quick Start Guide. Click the link at the top of this page to read it.
Here is some of what's in the Quick Start Guide and some information about Active Directory. Let’s try some step-by-step things as often it’s just a little oversight that can derail getting started, even if they seem redundant to what you may have already checked, and even if you went through the Troubleshooter section of the Quick Start Guide.
First, check the permissions for the \ezaudit\audits folder set on the server.
The folders must have read, write, create, delete, modify and execute permissions for your users, typically Domain Users or Everyone.
Ensure that there are no “deny" permissions propagating downstream to those folders from somewhere up the line.
If permissions are good, check the folder with ezscan.exe in it. Is there an errorlog.txt file?
If the script actually runs, and the program can be launched, and there are non-fatal-error problems, and the users can write to the folder, they get logged here. Open it and see what’s reported.
Test that your script is actually running – and exclude E-Z Audit as a problem for this test:
Copy notepad.exe into the same folder as ezscan.exe, then remark-out the line that starts ezstart.exe and replace it with “\\server_name\ezaudit\notepad.exe" %test
That would launch Notepad at the user’s PC and it will throw a message box that says the file test can’t be found. This validates that the script runs and that the command line is passed.
If that doesn’t work, then the script isn’t launching and time to dig into the joys of Group Policy. That’s way too huge for us to support, but here’s the basics for assigning a logon script to the users policy:
01. Open Active Directory User and Computers.
02. Right-click theand press Properties.
03. On the Group Policy tab, press Open (Group Policy Management Console).
04. Double-click the Default Domain Policy in the right-hand pane.
05. On the Details tab, record the GUID, which is listed next to Unique ID.
06. Close the Group Policy Management Window.
07. Press Cancel on theProperties dialog.
08. Copy your logon script to %SystemRoot%\SYSVOL\sysvol\\Policies\{GUID from step 5}\User\Scripts\Logon .
09. In Active Directory User and Computers, right-click theand press Properties.
10. On the Group Policy tab, press Open.
11. Right-click the Default Domain Policy in the right-hand pane and press Edit.
13. Navigate through User Configuration / Windows Settings / Scripts (Logon/Logoff).
14. Double-click Logon.
15. On the Logon Properties dialog, press Add.
16. Type the file name, NOT the path, of your script into Script Name, or Browse for it.
17. Press OK, Apply, and OK.
18. Close the Group Policy window.
19. Close Active Directory User and Computers.
20. Open a command window and type GPUPDATE /force to force Group Policy to update right away.
Q: My audits are not being updated even though the scanner is running normally (or new audits not created until I delete the old audits).Possible reasons include:
You have set an audit frequency of 0 (zero) days in your configuration file for automated audits. A zero days frequency only audits PCs one time and never again until the existing audit has been deleted or moved to another folder. You can open existing configuration files directly at your server if you copied config.exe from your PC to the folder on the server where the configuration files are located.
If only some PCs are experiencing this, check the folder where ezscan.exe is located on in your server's shared audit folder for errorlog.txt and see what they are reporting. (Note, this file can only be created and updated if your user have Create and Write permissions to the folder where you are running the audits from.)
If a PC has remained logged in continuously for longer than the frequency you set, it would not be re-audited. It is audited at login time, so if your frequency is every day and the PC has been on and logged in for a two, three or more days, then it is not being re-audited.
Q: My Windows XP SP2 users are being asked by Windows if they want to run the audit module. Why and how do I stop this?If you launch the scan from your logon script using an IP based path, XP SP2 will show this warning. If you use a UNC with a server name it will not. XP SP2 doesn't recognize the server via IP address as a "safe" location.
Example that causes the problem: "\\192.168.1.100\ezaudit\ezstart.exe " /auto
Examples that won't result in the warning: "\\your_server_name\ezaudit\ezstart.exe" /auto or "X:\ezaudit\ezstart.exe" /autoQ: Some of my machines are not showing antivirus, antispyware and firewall details. Why?This information is available only on Windows XP SP2, Vista and Windows 7. It is also dependent on whether the vendor for the particular product is reporting its status to Windows. Most major vendors' current products do. Check with your vendor if you have XP SP2, Vista or Windows 7 and the information is not being reported.Q: Some users occasionally get a InPage Error c000020c or 0xc0000006. Why?This is a network connectivity issue. When running an application from the network there is a poor connection (e.g. a weak wireless connection or a bottlenecked switch our router), this error can occur.Basically ezscan.exe is loaded into RAM at the user's PC from the server. Windows needs to keep a reference to the application even though it's now running at the PC. Lose that connection and errors will occur.
There is a Microsoft Knowledge Base article on the subject. While the article is about Windows XP, the information still applies to newer versions of Windows as well.
http://support.microsoft.com/kb/884069Q: I have some Core Duo, XEON or Celeron processors that show incorrect information. Why?There is a Microsoft KB article about this at http://support.microsoft.com/kb/952978 Basically Intel and Microsoft don't seem to be on the same page when it comes to information to be gleaned from the CUPID. We are aware of the situation. As it is today, this is actually pretty rare.
Q: How do I audit stand-alone machines that are not on my network?You have two options. You can audit PCs or servers from a USB flash drive. Alternatively if they are in an inaccessible location such as a home office user, you can use E-Z Audit Remote (starting with Version 12).
Q: How do I audit servers?Q: Why do some machines report a lower CPU speed than what they're supposed to be?We report actual, not "marketing" speed. Laptops use power managers that can throttle CPU speed to prevent overheating or extend battery time. The type of CPU and theoretical speed are reported in the PC summary, only the CPU Summary shows it by reported, actual speed.Q: Will E-Z Audit recognize our own, in-house developed software?Yes. E-Z Audit does not rely on lists of "recognized" software.Q: I have users the log off and log back in many times a day. Will they be repeatedly audited?No. E-Z Audit will only audit once per calendar day if a new audit is required per the frequency you set in the configuration (e.g. when the audit is 7 days old or older).Q: Normally we re-audit PCs every 30 days, but I need to get fresh audits for some of my PCs. How to I force them to create new audits?Delete the existing audit from the Admin Console. Open the audit folder then click the Edit > Delete multiple audits menu.
Or you can use E-Z Audit On-Demand.