Have a lot of 26004 events on SCOM server (all about DHCP).


I’ve added SCOM Action Account to “Event log readers” group on all dhcp servers (as per https://jurelab.wordpress.com/2015/02/18/failed-accessing-windows-event-log-on-management-server-warning-state-event-id-26004/) but it didn’t help. Maybe somebody knows how to resolve this issue.


The Windows Event Log Provider is still unable to open the DhcpAdminEvents event log on computer ‘dhcp.domain.com. The Provider has been unable to open the DhcpAdminEvents event log for 3600 seconds.

Most recent error details: Access is denied.

One or more workflows were affected by this.

Workflow name: Microsoft.Windows.DHCPServer.2012.FailoverServerWatcher.UnitMonitor.LostCommunicationWithfailoverPartnerServer
Instance name: dhcp1.domain.com-dhcp2.domain.com
Instance ID: {someID}
Management group: MGGROUPname

Jure Lab answered
    • Adding the SCOM MSA account is heavy-handed. The SCOM agent should have all the permissions it requires as it will likely be running as LocalSystem - Can you confirm this? (services > Microsoft Monitoring Agent)
    • Yes, it's running as LocalSystem. I think that I fixed the problem. Have recently rebooted all management servers (after added SCOM Action account in Log readers group on dhcp servers). After that all errors gone. I'll check if errors still exists few hours later.