High CPU usage on domain controllers
After you install Account Lockout Examiner (ALE) you may see CPU spikes on monitored domain controllers. If you stop ALE, these spikes go away.
ALE tracks for lockout events and failed logon events from the Windows security event log of domain controllers. By default it uses WMI calls that may result in high CPU usage of domain controllers.
There are two options to fix the issue:
-
Switch the method of communication with domain controllers. In this case ALE will stop querying domain controllers for new events in the log, but domain controllers will notify about new events themselves (WMI feature). This will reduce the number of WMI calls and, as a result, reduce CPU usage.
In order to do this perform the following on the machine where ALE is installed:
- Run Registry Editor (
regedit), - Go to
HKLM\Software\[Wow6432Node]\NetWrixAccount Lockout Examiner(Wow6432Node only for x64 OS) - Create a DWORD called
UseWatcherwith value1 - Restart the Netwrix Account Lockout Examiner service via Services.msc
![User-added image]./../0-images/ka04u000000HcUT_0EM7000000052iw.png)
- Run Registry Editor (
-
If the above does not help, disable usage of WMI to communicate with domain controllers. (A .Net-based mechanism will be used for it.)
In order to do this perform the following on the machine where ALE is installed:
- Run Registry Editor (
regedit), - Go to
HKLM\Software\[Wow6432Node]\NetWrixAccount Lockout Examiner(Wow6432Node only for x64 OS) - Change the
UseWMIvalue to0 - Restart the Netwrix Account Lockout Examiner service via Services.msc
![User-added image]./../0-images/ka04u000000HcUT_0EM7000000052jG.png)
- Run Registry Editor (