In this article:  

• Issue description

• Prerequisites

• Possible causes

• Resolution

• Related topics and articles

• How to reach support

Issue description  

When viewing user enable or disable events in ADAudit Plus reports, the actions appear as performed by the ADManager Plus service account instead of the actual technician who initiated the request in ADManager Plus. This can cause confusion when trying to identify the real requester of the operation.

Prerequisites  

• ADAudit Plus and ADManager Plus must both be configured and integrated with the same Active Directory domain.

• ADAudit Plus should be collecting User Management audit events from all Domain Controllers.

• The service account configured in ADManager Plus must have sufficient privileges to perform user management actions in Active Directory.

Possible causes  

Impersonate as Admin setting in ADManager Plus:

While creating a help desk technician in ADManager Plus, there is an option called Impersonate as Admin, which allows the technician to perform delegated actions through the product interface without altering their actual AD permissions.
When this option is enabled, all actions initiated by that technician are executed using the service account configured in ADManager Plus. As a result, ADAudit Plus which audits events from Windows Security Logs records the service account as the one performing the action.

Lack of cross-product correlation:

ADAudit Plus does not natively correlate actions with ADManager Plus technicians unless reports are cross-referenced between both products. Therefore, while ADAudit Plus captures the event execution details, the initiator information can only be viewed from ADManager Plus logs.

Resolution  

This behaviour is expected, as ADAudit Plus captures audit data based on the Windows Security event logs generated by Active Directory. The actual directory operations are executed by the ADManager Plus service account, which is why it appears in ADAudit Plus reports.

To identify the actual user who initiated the change, follow these steps:

1. In ADManager Plus, navigate to:
   Reports > Help Desk Audit > Technician Audit Reports

• This report shows the exact technician who performed the action.

2. Cross-reference the timestamp and action details from ADManager Plus with the event in ADAudit Plus to confirm both the initiator and the execution details.

Related topics and articles  

• How ADAudit Plus integrates with ADManager Plus

When and how to reach support  

• If the issue persists, contact our support team here.