In this article:  

• Issue description

• Prerequisites

• Possible causes

• Resolution

• How to reach support

• Related topics and articles

Issue description  

Reports for user account changes (such as recently created, deleted, modified, enabled, or disabled users) are not showing any data or are missing recent events in the Active Directory (AD) section.

Prerequisites  

• You must have administrator access to a domain controller.

• You need permissions to view Event Viewer, run auditpol commands, edit Group Policies using the Group Policy Management Console (GPMC), and modify object properties in Active Directory Users and Computers.

Possible causes  

• One or more domain controllers are not configured or are disabled in ADAudit Plus.

• The required Windows advanced audit policies are not enabled, so the domain controllers are not generating the necessary security events.

• For modification events, the System Access Control List (SACL), also known as object-level auditing, is not configured on the user objects or their parent OUs.

• The security event log size is too small, causing events to be overwritten before collection.

• Event data files are stuck in the processing queue on the ADAudit Plus server.

Resolution  

Follow these steps to diagnose and resolve the issue.

Step 1: Verify that the domain controllers are configured

1. Navigate to Domain Settings in ADAudit Plus.

2. Verify that all your domain controllers are listed and enabled for auditing (indicated by a green check mark).

3. If a domain controller is missing or disabled, configure or enable it before proceeding.

Step 2: Verify event generation on the domain controller  s

Confirm if the domain controllers are generating the specific events needed for the reports:

1. Open Event Viewer on a domain controller and navigate to Windows Logs > Security.

2. Use the Filter Current Log option to check for the following event IDs corresponding to the missing data:

• 4720: A user account was created.

• 4726: A user account was deleted.

• 4722: A user account was enabled.

• 4725: A user account was disabled.

• 5136: A directory service object was modified.

If you cannot find these events after performing the actions, the necessary audit policies are likely not configured.

Step 3: Verify and enable the advanced audit policies  

1. On a domain controller, open Command Prompt in elevated mode and run auditpol /get /category:*.

2. Verify the following policy settings:

• For user creation, deletion, enabling, and disabling, navigate to Account Management > Audit User Account Management and set the policy to audit for Success.

• For user modifications, navigate to DS Access > Audit Directory Service Changes and set the policy to audit for Success.

3. If the policies are not enabled, use the GPMC to edit the Default Domain Controllers Policy and enable them under Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration.

Step 4: Configure object-level auditing (for modification events)  

To see user modification events (event ID 5136), you must configure the SACL on the objects you wish to monitor:

1. Open Active Directory Users and Computers.

2. Click View and ensure that Advanced Features is enabled.

3. Right-click the domain or the specific OU containing your users, then select Properties.

4. Navigate to Security > Advanced > Auditing and click Add.

5. In the Auditing Entry window, configure auditing for the Everyone principal for Success, ensuring the appropriate permissions (such as Write all properties) are selected for Descendant User objects.

Step 5: Configure the security event log size  

Ensure the event log is large enough to retain events between data collection cycles:

1. In the GPMC, edit the Default Domain Controllers Policy.

2. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Event Log.

3. Set the Retention method for security log to Overwrite events as needed.

4. Set the Maximum security log size to a value large enough to hold at least 12 hours of data.

Step 6: Check for stuck event data files  

If all configurations appear correct but data is still missing, check for unprocessed files on the ADAudit Plus server:

1. Navigate to the installation directory and check for a large number of files stuck in the following folders:

• <Home>\ADAudit Plus\eventdata\raw

• <Home>\ADAudit Plus\eventdata\processed

• <Home>\ADAudit Plus\eventdata\processed_err

How to reach support  

If the issue persists after following all of the steps above, please contact our support team for further assistance.

Related topics and articles  

• How to check when a user is added to a security group using ADAudit Plus