• State Not Answered
  • Replies 7 replies
  • Subscribers 3 subscribers
  • Views 794 views
  • Users 0 members are here
Options
Related

Unable to program token

martial assouman
3 months ago

We have deploy defender  on a client environment.It's a financial organization (bank).

Defender installation and license set---ok

the service account is member of Enterprise Administrators group---Schema Administrators group---Domain Admins group and member of the Local Administrators group of the server on which Defender is installed.

The Service account have been also be delegated full access and right on Defender objects.

On the registry read and write access have be granted to NETWORK SERVICE and service account on Schedule reports objects.

this is the error message we get when we tried to program token through ADUC ------"" Not all the selected objects were able to be assigned. Please ensure that you have the correct rights to update the selected objects in Active Directory""

this error occurred at the step of selecting the user from AD.

From the Web Portal Management we got this error : Unable to program token.

On the Local Administrators group member there is no orphan entries.

Which right the service account should have for Defender to be able to update token objects on the Active Directory?

In case the security on AD have neen hardened is it possible to be the case ?? if so How to solve it??

Actually the defender have been reinstalled on a brand new server windows 2022 but still getting the same error even working with professional service..

  • 0 3 months ago

    Hi Martial,

    When you login to the Management Portal as the admin > Configuration menu > Does the Service account have the checkbox enabled to "User Service Account for all actions" ?

    If not please enable it and test again.

    If that checkbox is already enabled, then there could be an issue with the Management Portal installation, please uninstall > only remove the Management portal during the uninstall wizard then reinstall using the account that is a member of the Domain Admins, Schema Admins, Enterprise Admins and then make sure to add the service account configuration then test again.

    Thanks!

  • 0 3 months ago in reply to Tawfiq.Ahmad

    With the Professional Service we have uninstall all instance of Defender server and deleted the Defender OU.

    We have reinstalled Defender and set the service account on the Defender Management Portal ---good

    But still getting the same error :

    this is the error message we get when we tried to program token through ADUC ------"" Not all the selected objects were able to be assigned. Please ensure that you have the correct rights to update the selected objects in Active Directory""

    this error occurred at the step of selecting the user from AD.

    From the Web Portal Management we got this error : Unable to program token.

  • 0 3 months ago in reply to martial assouman

    Is this a multi-Forest environment when Defender is installed in one Forest and trying to assign the token to a user in a different forest?

    If so, Cross-forest will not work with Defender unless both Forests have had their schemas extended for Defender attributes.  In this case the permissions error was thrown, but because there are no Defender attributes in the 2nd domain, there is nothing to write to in order for the token assignment to complete.

    A workaround would be a Defender install in the 2nd forest, however this would require a license for that domain as well.

  • 0 3 months ago in reply to Tawfiq.Ahmad

    The Windows administrator just confirm that their environment is one forest with one domain.no sub-domain

  • 0 3 months ago in reply to martial assouman

    This is likely an environmental issue related to the Active Directory permissions or schema

  • 0 3 months ago in reply to Tawfiq.Ahmad

    hi Tawfiq.

    Thanks for your help.

    We have ever deployed Defender twice and it's our first time to face this type of issue.

    Which type of investigation can we conduct from Active Directory part since it's in production .

    Active Directory objects updated auditing ?? Active Directory schema updating ??

  • 0 3 months ago in reply to martial assouman

    Also worth making sure that Defender is not pointed to a read-only domain controller.