When Deploying TDAD, the error "Cred Error: User Account issue on DC" is received

search cancel

When Deploying TDAD, the error "Cred Error: User Account issue on DC" is received

book

Article ID: 175808

calendar_today

Updated On:

Products

Endpoint Threat Defense for Active Directory

Issue/Introduction

When Deploying TDAD, the error "Cred Error: User Account issue on DC" is received
Unable to deploy TDAD to Clients

Cred Error: User Account issue on DC - User Account issue on DC
In the error details you will see: Replication Issue - User Replication Issue
SiteManager.log:
ERROR General.ProcessHandler - Process[repadmin] Failed: output[
Unable to replicate secrets for user

Cause

The cause of this error is due to one of the following:

* The caller does not have the "Secret Synchronization" control access right on the read-only DC above.

* The user above is a security sensitive user that cannot have secrets replicated to any read-only DC.

* The user above is not a member of the RevealOnDemand group associated with the read-only DC above.

* The user above is a member of the NeverReveal group associated with the read-only DC above.

Resolution

Domain Admin account does not have the necessary privileges. Please review the attached document for Domain Admin Equivalent Account
Configuration to confirm correct access.

Otherwise, there's a quick way to check all denied permission of a specific user account using a command in PowerShell.

First, you need to download PowershellAccessControl Module and extract the scripts.
Open PowerShell as a user with Domain Admin privileges,
import this module,
run the commands: import-module .\PowerShellAccessControl.psd1 Get-ADUser UserAccount | Get-AccessControlEntry -ObjectAceType initials -AceType AccessDenied

Add any denied permissions to the Domain Account.

Attachments

Threat Defense for Active Directory v3.3 Domain Admin Account Configuration.pdf get_app

Feedback

thumb_up Yes

thumb_down No