After applying a Windows Security Baseline to the Domain Controllers, or after enabling the Attack Surface Reduction Rule, "Block credential stealing from the Windows local security authority subsystem", GUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2, Change Auditor no longer audits AD events and in agents 7.0.4 and later, the agent will fail to start. This will also impact agents installed on member servers resulting in the agent failing to start.
An error similar to the following is logged in the ChangeAuditor.AgentLog.nptlog:
[WARN][CServerControlHandler::TriggerHooking(154)] LDAP control hooking failed: 0x00000022
[WARN][TrogdorLib::Common::CTrogdorService::StartImpl(187)] Error initializing sub-system SonicWALL Auditor (71).
[ERROR][itad2hook::DuplexHolderImpl::InitializeIPC(230)] Error starting pipe client. Unable to open pipe
You need to be signed in and under a current maintenance contract to view premium knowledge articles.