[问题描述]
客户反馈服务器事件日志存在大量4105告警,详细内容参考如下:
鉴于事件日志会有容量限制,旧数据会被新数据冲掉。大量告警日志将原来可以保存60天的日志缩短为1天不到的时间。这样严重影响客户对问题的分析。
[问题分析]
4105事件日志有解决方案,简要如下:
1.如果许可证服务器安装在域控制器上,则网络服务帐户也必须是“终端服务器许可证服务器”组的成员。
2.如果许可证服务器安装在域控制器上,则在将适当的帐户添加到“终端服务器许可证服务器”组之后,必须重新启动“远程桌面许可”服务以跟踪或报告RDS每用户CAL的使用情况。
不过客户现场并不是这两种情况,那么则可能是缺少[读取和写入终端服务器许可证服务器]权限的。
[问题解决]
通过一段网络上的powershell脚本可以实现对用户批量追加权限
# Description: This script will add missing permissions for the Terminal
#Server License Server group to user objects in Active Directory.
# This may solve problems with TS CALs not beeing issued and event id
#4105 being logged at the license server.
# Constants
$URL = "LDAP://DC=mydomain,DC=com";
cls
$root = New-Object DirectoryServices.DirectoryEntry $URL
$ds = New-Object DirectoryServices.DirectorySearcher
$ds.SearchRoot = $root
$ds.filter = "objectCategory=Person"
$src = $ds.findall()
write-host "Found" $src.count "user objects.`n"
$src | %{
$de = $_.getdirectoryentry()
$accessrules = $de.get_objectsecurity().getaccessrules($true, $false,[System.Security.Principal.SecurityIdentifier]) | ?{$_.ObjectType -eq "5805bc62-bdc9-4428-a5e2-856a0f4c185e"}
if ((measure-object -inputobject $accessrules).count -eq 0)
{
$ar = new-object System.DirectoryServices.ActiveDirectoryAccessRule([System.Security.Principal.SecurityIdentifier]"S-1-5-32-561", 48, "Allow", [guid]"5805bc62-bdc9-4428-a5e2-856a0f4c185e")
$de.get_objectsecurity().addaccessrule($ar)
$de.commitchanges()
write-host -f yellow ("Added:`t" + $de.properties["sAMAccountName"])
start-sleep -m 200
}
else
{
write-host -f green ("OK:`t" + $de.properties["sAMAccountName"])
}
}
效果样例:
Found 900 user objects.
Added: Guest
OK: Administrator
Added: IUSR_FGSH02
Added: IUSR_FGSH06
OK: ExchangeService
OK: ArcserveSvc
OK: ArcSvc
Added: ftpuser
OK: dbagent
OK: krbtgt
Added: IUSR_FGSH01
Added: IWAM_FGSH01