Netwrix Auditor System Health Log - Event ID 1009 / 1209

This article applies to Netwrix Auditor 6.0 and above. It explains the nature of the Event ID and provides resolution.
Email It to Me Print this Page
Symptoms Depending on your Netwrix Auditor version, the Netwrix Auditor System Health Log contains the following EventID
Netwrix Auditor 9.5: 1209
Netwrix Auditor 9.0 and below: 1009


with one of the following errors in Details:
  • "Unable to obtain the list of SharePoint groups for site collection with ID '{0}': Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)).
  • "Unable to obtain the list of SharePoint groups for site collection with ID '{0}': Access to this Web site has been blocked.
Cause The security settings in the audited SharePoint farm do not allow collecting complete audit data. The product was unable to get a list of security groups from the audited site collections due to one of the following reasons (depending on the error in the "Details" field):
  • there are insufficient permissions for the web application hosting the target site collection
  • the target site collection is in the Locked - No Access status
Resolution To resolve the issue, do one of the following depending on the reason:
  • Navigate to Central Administration --> Web Applications --> <audited web application> --> User Permissions and verify your security permissions. The minimal required permissions are "Manage Web Site".
  • Navigate to Central Administration --> Application management --> Configure quotas and locks --> <audited site collection> and change its status to "Not Locked"Alternatively, you can unlock your site using SharePoint Management Shell.
To change site status to "Unlock" using SharePoint Management Shell, do the following:
  1. Make sure that your account complies with the requirements mentioned in the Microsoft technical article.
  2. In your SharePoint server, navigate to Start --> Microsoft SharePoint Products <version> SharePoint Management Shell.
  3. Execute the following command:  Set-SPSite -Identity "<SiteCollection>" -LockState "<State>"
Where:
<SiteCollection> is the URL of the site collection that you want to track or unlock.
<State> is one of the following values:
  • Unlock to unlock the site collection and make it available to users.

  • NoAdditions to prevent users from adding new content to the site collection. Updates and deletions are still allowed.

  • ReadOnly to prevent users from adding, updating, or deleting content.

  • NoAccess to prevent users from accessing the site collection and its content. Users who attempt to access the site receive an error.

Was this information helpful?