Windows Event Collector Access denied for Security Group

Question

Hi
We have an ongoing issue with WEF and WECs when new WEFs are added to the Security Group which is Source for the WEC.
WEFs are configured through GPO which targets the correct WEC for the Site, and then has a Security Group as Source in the Subscription.
The issue is that when we add a new Server to that Security Group, it gets the GPO applied but it can't connect to the WEC.
Error code is 5 and message is Access Denied.
The weird thing is that if we wait for a random extended period of time, the WEC starts accepting the WEF and the issue solves itself, without any modifications from our side.
Another weird thing is that if we add that new Server directly as a Source in the WEC subscription instead of through the Security Group, it starts working immediately.
We already tried rebooting the WEC, removing and re adding the Security Group as Source, doing a Kerberos purge.
The only thing we haven't tried because we can't is rebooting the new added WEFs, which would be very impractical if we need to add a lot of servers at the same time, many of them being in Production.
I'm out of ideas on why this is happening.

Answer 1

Hello Dante N,

Thank you for your question.

Microsoft identified this issue some time ago and released an article describing the issue and how to resolve it, I recommend that you see the article below:

https://support.microsoft.com/en-us/topic/fix-access-is-denied-error-occurs-on-some-source-initiated-subscription-workgroup-computers-in-windows-7-or- windows-server-2008-r2-6dd0a942-86cd-e880-5a7a-58ee1f286795

If the answer was helpful, please don't forget to vote up or accept as an answer, thanks.