WinRM Connection limits

Sometimes in various Microsoft products (Exchange/VMM mostly) you might reach some of the WinRM connection limits.  Personally I see it most in Virtual Machine Manager when you have many admins who are making lots of changes and deploying large numbers of services.

The symptom is sometimes an error like this:  Error Connecting to remote server failed with the following error message: The WS-Management service cannot process the request. This user is allowed a maximum number of 5 concurrent shells, which has been exceeded. Close existing shells or raise the quota for this user.

It can also just show as a generic Failed/timeout job which then works when you re-try later.

1. On the offending server open a command prompt or Powershell window with administrative privileges.
2. Type in winrm get winrm/config/winrs to view the current configuration.

winrmmax

These values will need to be increased, don’t just add a load of zeros to the end as having limits configured can stop unwanted or malicious connections from brining a server to its knees.

To adjust the values use the commands below where 20 and 100 are appropriate numbers for your environment.

3. winrm set winrm/config/winrs @{MaxConcurrentUsers=”20″}
4. winrm set winrm/config/winrs @{MaxShellsPerUser=”100}

How to create an Operations Manager 2012 R2 alert on active directory account lockout or any other event

Over the various versions of windows server there have been many different event IDs logged when accounts are locked out after too many failed logon attempts.  The event you are after for 2008 R2 / 2012 is Event ID 4740 and it is logged in the security event log.

It is possible to use a simple scheduled task which runs with this event ID as the trigger to generate an “account is locked” email, but why do that when you have operations manager?

We can create a new rule to alert on this event and it is also even possible to base the alert on other items within the event description.  For example you might want a generic account is locked email to go to the support desk, whereas alerts for a critically important service account should go to a separate team who manage this service.   Here is a guide on how to setup such an alert.

1. Load up the operations manger console and click on “Authoring”

2. Expand the “Management Pack Objects” item and click on “Rules.”

3. Click on “Create a rule.” This is in the tasks pane on the right hand side, you might need to expand this if you have previously closed it.

4. Expand “alert Generating Rules” then expand “Event based” and select “NT Event log (alert)” and select an appropriate management pack to store the alert.  I would reccomend creating a management pack for all your custom rule based alerts or if you plan on having many it maybe worth breaking it out further, e.g. “Account Lockout Alerts”

createarulewizard

5. Click “Next” and give your new rule a suitable name.

6. Select a rule target, in this instance “Windows Computer” will work and click “Next.”

rulename

7.  Select the Log you wish to monitor, for this rule we need to select the security log then click “Next.”

securitylog

8. Now it is time to build the expression to filter the events we want to alert on.  If you simply want an alert any time this occurs set the parameter name to “Event ID” Operator to “Equals” and Value to “4740”.

simpleexpression

9. If however you want to be a little more presisce and only generate an alert for a particualr account or computer (or anything within the event) you can.  Simply locate an event you want to build an expression for on one of your target servers (e.g. log onto a DC and have a look for a security event with ID4740) and examine the details section.

4740eventdetails

10. Here I want to configure the alert to only fire if the “crit_service” account is locked.  So within the expression builder I insert a new expression and select an event property and enter my own.

Parameter Name: “TargetUserName”
Operator: “Contains”
Value “crit_service”

fullexpression

11. Finally configure the alert.  Here you can edit the alert name, description and other fields.  I simply changed the alert name and left the alert description and other fields alone as it is fine for my purposes.

configurealert

12.  Dont forget to setup an alert subscription for this so the right people get an alert when the account is locked out!  If you took a note of the alert name used you can filter against this to make sure only the right people get the message.