Troubleshooting

The topics in this section describe how to resolve issues with logging on, find log files, set the level of detail recorded in log files, and use diagnostic tools to retrieve information about the operation of the Agent for Windows.

Solving problems with logging on

Once you have the Agent installed on your computer, you cannot log on without a role assignment. The role, however, may be assigned to your local account, your domain account, or a remote computer. Consequently, you might encounter problems logging on after the agent is deployed. For example, you might find that you can log on to your computer using your local account but cannot log on using your domain account or have trouble connecting to a remote server.

You have no control over the roles assigned to your local, domain, or remote server accounts. These are all set by the administrator. There are a couple of things you can try if you cannot log on:

  • Try to log on using a local user account or using a different domain account

    if you have more than one account available.

  • Determine whether the computer you are using is connected or disconnected

    from the network. In rare cases, authorization information might not be

    available when a computer disconnected from the network.

  • If you cannot log on to a remote computer, confirm that you have role that

    has the remote logon system right and that the computer is configured to

    allow users to log on remotely. Open the Authorization Center to see details

    about your roles and their rights.

Your administrator is the only person who can correct any log on problems. You should contact an administrator for your organization to proceed.

Accessing network computers with privileges

Depending on how your administrator has defined the roles you are assigned, it is possible for you to see potentially misleading information in certain applications or be unable to perform administrative tasks as you expect. For example, if you select a role with administrative privileges to access an application such as SQL Server Configuration Manager or Microsoft SQL Server Management Studio and connect to a remote SQL Server instances, it might appear as if you have permission to start and stop services or perform other tasks. However, if your role does not include network access rights for the remote SQL Server instance, you will not have the appropriate permission to perform those tasks.

You can check whether your selected role includes network access rights using the Authorization Center. If the role you are using does not include network access rights, you should click Advanced View to see if you have additional network roles available to use in conjunction with your local role. If the role you are using includes network access rights, you should contact your administrator to find out if those rights are applicable on the network computer you are attempting to manage.

Running diagnostics and viewing logs for the agent

The Agent for Windows provides logging and diagnostic services. If you have administrative access on a local computer, you can generate diagnostic information about the operation of the Agent for Windows and view and save the current content of the log file from the agent configuration panel. For example, you can generate diagnostic information about user sessions, user roles, desktops, and elevated account access, as well as detailed information about auditing from the agent configuration panel.

You can view these diagnostics tools either from the Windows system tray or from the agent configuration panel.

  • IBM Security icon in the Windows system tray - right-click it and click

    Troubleshooting, and then the service for which you want diagnostic

    information.

  • Agent Configuration - select the service for which you want

    diagnostic information, then click the Troubleshooting tab.

Refreshing cached information

If you are a local administrator on a managed computer, you can refresh the authorization information stored in the cache to ensure the agent has the most up-to-date information about your current rights and roles. For example, if you are assigned a new role or been granted new application rights, you can refresh the cache to get the new assignment or application rights.

Checking your rights and roles using dzinfo

You can use the dzinfo command line program in a Command Prompt window to view detailed information about your rights, roles, and role assignments. The dzinfo command line utility provides the same functionality as the Authorization Center described in Checking your rights and role assignments, but allows you to view and capture the output from the command in a single window.

The syntax for the dzinfo program is:

dzinfo

The command returns detailed information about your rights, roles, and role assignment similar to the following:

Effective roles for AJAX\rey.garcia:
weblogic2/portland
Zone: CN=portland,CN=mainoffice,CN=Zones,OU=Acme,DC=ajax,DC=org
Status: Active

Domain Admin/portland
Zone: CN=portland,CN=mainoffice,CN=Zones,OU=Acme,DC=ajax,DC=org
Status: Active

Windows Login/mainoffice
Zone: CN=mainoffice,CN=Zones,OU=Acme,DC=ajax,DC=org
Status: Active

Effective Login Rights for AJAX\rey.garcia:
Console Login: Permitted
Audit Level: Audit if possible

Remote Login: Permitted
Audit Level: Audit if possible

PowerShell Remote Access: Permitted
Audit Level: Audit if possible

Role Assignments for AJAX\rey.garcia:
weblogic2/portland
Status: Active
Account: AJAX\rey.garcia
Scope: Zone
Zone: ajax.org/Acme/Zones/mainoffice/portland
Local Role: No
Network Role: Yes
Effective: Immediate
Expires: Never

Domain Admin/portland
Status: Active
Account: AJAX\rey.garcia
Scope: Zone
Zone: ajax.org/Acme/Zones/mainoffice/portland
Local Role: No
Network Role: Yes
Effective: Immediate
Expires: Never

Windows Login/mainoffice
Status: Active
Account: AJAX\Domain Admins
Scope: Zone
Zone: ajax.org/Acme/Zones/mainoffice
Local Role: Yes
Network Role: No
Effective: Immediate
Expires: Never

Role Definitions:
weblogic2/portland
Status: Active
Description: None
Zone: CN=portland,CN=mainoffice,CN=Zones,OU=Acme,DC=ajax,DC=org
Login Permitted: No
Audit Level: Audit if possible
Rescue Right: No
Require MFA: No
Available Hours:
12 2 4 6 8 10 12 2 4 6 8 10
Sunday X X X X X X X X X X X X X X X X X X X X X X X X
Monday X X X X X X X X X X X X X X X X X X X X X X X X Tuesday X X X X X X X X X X X X X X X X X X X X X X X X Wednesday X X X X X X X X X X X X X X X X X X X X X X X X Thursday X X X X X X X X X X X X X X X X X X X X X X X X Friday X X X X X X X X X X X X X X X X X X X X X X X X Saturday X X X X X X X X X X X X X X X X X X X X X X X Rights:
weblogic Network Access/portland
Type: Network Access
Description: None
Priority: 0
Run As: AJAX\wladmin
Require Authentication: No

weblogic Desktop/portland
Type: Desktop
Description: None
Priority: 0
Run As: AJAX\wladmin
Require Authentication: No

Domain Admin/portland
Status: Active
Description: None
Zone: CN=portland,CN=mainoffice,CN=Zones,OU=Acme,DC=ajax,DC=org
Login Permitted: No
Audit Level: Audit if possible
Rescue Right: No
Available Hours: All
Rights:
ADUC/portland
Type: Application
Description: Active Directory Users and Computers as Admin
Priority: 0
Run As: AJAX\Administrator
Application: mmc.exe
Path: C:\Windows\system32
C:\Windows
C:\Program Files
C:\Program Files (x86)
C:\Windows\SysWOW64
Arguments: "C:\Windows\system32\dsa.msc"
Match Case: No
Require Authentication: No
Application Criteria:
None

Domain Admin Network Access/portland
Type: Network Access
Description: None
Priority: 0
Run As: AJAX\Administrator
Require Authentication: No

Windows Login/mainoffice
Status: Active
Description: Predefined system role for general Windows login users.
Zone: CN=mainoffice,CN=Zones,OU=Acme,DC=ajax,DC=org
Login Permitted: Console & Remote & PowerShell Remote
Audit Level: Audit if possible
Rescue Right: No
Available Hours: All
Rights:
None

Computer is joined to zone ajax.org/Acme/Zones/mainoffice

Auditing for AJAX\rey.garcia:
Session ID 2:
Desktops:
Default: Not currently auditing.

Auditing is not available on this computer.