Hey Spiceheads,
I believe I've got a pretty interesting one here. First, a little back story. We use Meraki MX for our content filter and firewall. We have it synced with our Active Directory groups to apply content group policies through Meraki.We had been having steady problems with Youtube EDU and a few other content filtering problems. After contacting support, they say a new firmware update will solve the issue. We schedule it for the long weekend and it gets applied(i have no control over the update). I return on Tuesday to find that no one is getting their content group policies. If you can't authenticate, it is setup to give a default group policy, where a lot of things are blocked. After spending a lot of time with Meraki, they say that its on our server and there is nothing they can do. While I was willing to admit that there was a very slim possibly that this was an existing issue on our server, they still wouldn't revert the update.
Where I am at now. (We are running 2008 r2 SP1)
I basically found out that Meraki runs an WMI query on our server for certain event log ID's to see who has logged in and logged off successfully. Every time it was gettting a WMI quota violation. After checking the memory through wbemtest.exe, I saw that it was set at the correct default of 512MB(but converted to bytes). I even raised it to 1024, but have since reverted it because it didn't help the problem. I have ran WMIDIAG and can attach the logs if needed. Now here is where it gets weird, when Meraki is setup to query our server, we are getting over 500 errors from WMIDIAG. When we turn it off, less than 30. Even stranger, we get the same results on three separate servers that were all configured independently of each other. I eventually was able to turn on WMI-Activity logging in the event viewer and saw the following code being run(this is what the meraki query is running).
Start IWbemServices::ExecQuery - SELECT EventCode,InsertionStrings,RecordNumber FROM Win32_NTLogEvent WHERE Logfile = 'Security' AND Type LIKE '%Success%' AND (EventCode=540 OR EventCode=672 OR EventCode=4624 OR EventCode=4768);
It also had some other information about GroupOperationID and User. the namespace it was being run on was \\.\root\cimv2
If anyone has some insight or things to try, please let me know. I'm about at my wits end.