search cancel

When Deploying TDAD, the error "Cred Error: User Account issue on DC" is received

book

Article ID: 175808

calendar_today

Updated On:

Products

Endpoint Threat Defense for Active Directory

Issue/Introduction

  • When Deploying TDAD, the error "Cred Error: User Account issue on DC" is received
  • Unable to deploy TDAD to Clients 
  • Cred Error: User Account issue on DC - User Account issue on DC
    In the error details you will see: Replication Issue - User Replication Issue
  • SiteManager.log: 
    ERROR General.ProcessHandler - Process[repadmin] Failed: output[
    Unable to replicate secrets for user 

Cause

The cause of this error is due to one of the following:

* The caller does not have the "Secret Synchronization" control access right on the read-only DC above.

* The user above is a security sensitive user that cannot have secrets replicated to any read-only DC.

* The user above is not a member of the RevealOnDemand group associated with the read-only DC above.

* The user above is a member of the NeverReveal group associated with the read-only DC above.

Resolution

Domain Admin account does not have the necessary privileges. Please review the attached document for Domain Admin Equivalent Account
Configuration to confirm correct access. 

Otherwise, there's a quick way to check all denied permission of a specific user account using a command in PowerShell.

  • First, you need to download PowershellAccessControl Module and extract the scripts.
  • Open PowerShell as a user with Domain Admin privileges,
  • import this module,
  • run the commands: import-module .\PowerShellAccessControl.psd1 Get-ADUser UserAccount | Get-AccessControlEntry -ObjectAceType initials -AceType AccessDenied

​​Add any denied permissions to the Domain Account. 

Attachments

Threat Defense for Active Directory v3.3 Domain Admin Account Configuration.pdf get_app