In this article  :

• Issue description

• Prerequisites

• Possible causes

• Resolution

• Related topics and articles

• How to reach support

Issue description  

In ADAudit Plus, the Configuration Auditing reports provide insights into modifications made to critical Active Directory configurations, including changes to GPOs, audit policies, and domain settings. These reports help administrators monitor and track configuration changes to ensure security and compliance.

However, in some instances, users may find that no data is available under the Configuration Auditing reports. This issue typically arises due to misconfigured auditing policies, insufficient privileges, or communication failures between ADAudit Plus and domain controllers.

This document provides a structured approach to diagnosing and resolving issues related to missing data in the Configuration Changes reports of ADAudit Plus.

Prerequisites   

• All the domain controllers must be added and configured in ADAudit Plus for auditing.

• Event collection should be happening successfully from all the configured domain controllers.

• Necessary audit policies need to be configured under Advanced Audit Policy > DS Access > Directory Services Changes > Success. Object-level auditing and security event log size need to be configured.

• Make sure the event log retention size is set to at least 4GB.

Possible causes

• Click the Domain Settings tab at the top-right. Make sure all the domain controllers in Active Directory are configured, and ensure the domain controller in which you have made the respective action is configured in ADAudit Plus.

• Check if there is an error in the event collection status for the respective domain controller.

• Check if the timestamp of the last event is updated to the latest time for all the domain controllers.

• Check if any files are stuck inside the ADAudit Plus installation directory > eventdata > raw or processed or processed_err.

Resolution steps

Step 1: Verify if all the domain controllers are configured in ADAudit Plus  

• Navigate to the Domain Settings tab in ADAudit Plus.

• Confirm that all the domain controllers are configured.

Note: Security logs do not replicate, so it is essential to configure all domain controllers in ADAudit Plus.

Step 2: Check for communication issues  

• If log collection fails, check for RPC-related errors.

• If encountering the RPC Server Unavailable (Error Code 6ba) error, follow the troubleshooting guide here.

Step 3: Configure audit policies

• Check the required audit policies for Configuration Auditing category reports at DS Access > Audit Directory Service Change and Audit Directory Service Access > Success. 

• To verify whether the audit policy has been updated correctly, log in to the respective domain controller, launch Command Prompt with administrative privileges, and run the following command:
  auditpol /get /category:*
  Review the output to confirm that the required audit policy is enabled.

Step 4: Configuring object-level auditing

Configure the required object-level auditing (SACL) for Configuration Auditing reports:

• Log in to any computer that has Active Directory Users and Computers (ADUC) with domain admin credentials and open ADUC.

• Click View and ensure that Advanced Features is enabled. This will display the advanced security settings for selected objects in ADUC.

• Right-click Domain > Properties > Security > Advanced > Auditing > Add.

• In the Auditing Entry window, select a principal: Everyone > Type: Success.  Select the appropriate permissions as directed in the table below.

Note: Use Clear all to remove all permissions and properties before selecting the appropriate permissions.

Step 5: Configuring event log settings

Event log size needs to be defined to prevent audit data loss due to events getting overwritten. To configure event log size and retention settings, follow the steps outlined below:

• Log in to any computer that has the Group Policy Management Console (GPMC) with domain admin credentials. Open GPMC > right-click Default Domain Controllers Policy > Edit.

• Open the Group Policy Management Editor > Computer Configuration > Policies > Windows Settings > Security Settings > Event Log.

• Navigate to the right pane. Right-click Retention method for security log >  Properties > Overwrite events as needed.

• Navigate to the right pane. Right-click Maximum security log size > Define size (preferably 4GB).

Note: Ensure the security event log holds a minimum of 12 hours of data.

Step 6: Check for stuck files in the eventdata folder  

• If files are stuck in eventdata/raw or processed, contact ManageEngine support for assistance.

Related topics and articles  

• Event collection troubleshooting: General errors

 How to reach support