Home > SCOM, System Center > Access Denied Setting System Center ACS Filter

Access Denied Setting System Center ACS Filter

So today I was fine tuning my Microsoft System Center 2012 Audit Collection Services by setting a filter that would reduce the amount of noise the system generates. I need to keep this data for a few years so it can build up quite considerable.

So the Query I am testing at the moment is:

AdtAdmin.exe /setquery /query:"SELECT * FROM AdtsEvent WHERE NOT (EventId=551 OR EventId=562 OR EventId=573 OR EventId=577 OR EventId=578 OR EventId=697 OR (EventId>=594 AND EventId<=597) OR (EventId>=768 AND EventId<=771) OR (EventId>=832 AND EventId<=841) OR EventId=538 OR EventId=672 OR EventId=680 OR EventId=571 OR (EventId=624 And TargetUser LIKE ‘%$%’) OR (EventId=627 AND HeaderUser=’System’ AND ClientUser like ‘%$%’ And TargetUser = ‘TsInternetUser’) OR ((EventId = 538 or EventId = 540) AND (String01 = ‘3’) AND HeaderUser like ‘%$%’) OR ((EventId > 671 and EventId < 678) and ClientUser LIKE ‘%$%’) OR ((HEADERUSER LIKE ‘%ADM_%’ OR HEADERUSER LIKE ‘%SYS_%’) AND (EventID = 528 OR EventID = 540 OR EventID = 680)))"

I navigated to c:\Windows\System32\Security\Adtserver in a elevated command prompt and ran the query and it errored with Access Denied…..


I was lucky as I have a working ACS Collector already on the network and I am migrating to a new one. After a bit of digging around I noticed that the permissions on the below registry Key are not set correctly. The Network Service as you can see from the below images needs Allow permissions to “Set Value”.




Permissions on non-working server



Permissions on working Server



So to fix, just add the permission for the Network Service to Allow “Set Value” close the GUI and registry editor and try again.

Categories: SCOM, System Center
  1. Kitaab
    January 28, 2013 at 7:27 am

    Thank you,this helped me as well.

    i was able to set the filter using your blog.

    Just one query,if you may suggest:
    I installed ACS Collector on RMS Emulator.
    It is a VM (vSpehere based) has 4 vcpus and 16GB RAM)

    Only enabled the Audit collection on 8 DC’s that we have. I haven’t enabled it for all 190 agents.

    i actually increased the DisconnectThreshold and BackOffThreshold values to 97 and 95 respectively

    But i see a lot of events on SCOM Server —

    Event ID 4630 — An Audit Forwarder disconnected. Reason: 0x00000015

    Event ID 4634 — An Audit Forwarder disconnected Reason: Collector disconnected the forwarder because it is busy.

    Event ID 4615 — Database queue threshold exceeded

    Current threshold: 97% full
    Current queue status: 100% full.

    The events come for all DC’s that we enabled as ACS forwarders

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: