In this article  :

• Issue description

• Prerequisites

• Possible causes

• Resolution

• Related topics and articles

• How to reach support

Issue description  

In ADAudit Plus, the GPO Management Reports profile provides insights into various computer-related activities, including computer account creation, deletion, modification, disabling, and attribute changes within the Active Directory environment. However, in some cases, users may find that no data is available under the GPO Management Reports profile. This issue typically arises due to misconfigured auditing policies, insufficient permissions, or a failure in event log collection from domain-controllers. This document provides a structured approach to diagnosing and resolving this issue.

Prerequisites  

Before troubleshooting, ensure the following prerequisites are met:

1. All the Domain Controllers must be configured in ADAudit Plus.

2. Required ports and firewall rules are enabled to allow communication between the domain controller and ADAudit Plus.

3. The service account used in ADAudit Plus should be a member of the Event Log Readers group.

4. Required audit policies must be enabled on the Primary Domain Controller and replicated to all required domain controllers.

5. The Event Log retention size should be at least 4 GB to prevent log overwrites.

Possible causes  

1. The domain controller where the computer object change occurred may not be configured in ADAudit Plus.

2. There is a communication failure between ADAudit Plus and the domain controller.

3. The service account lacks the necessary permissions to collect security event logs.

4. Auditing is not enabled on the domain controller.

5. The event log size is too small, causing logs to be overwritten.

6. Files may be stuck in the event data/raw or processed directories of ADAudit Plus.

Resolution

Step 1: Verify domain controller Configuration in ADAudit Plus  

• Navigate to Domain Settings Page in ADAudit Plus

• Confirm if all the domain controllers are configured

Step 2: Check for communication issues  

• If log collection fails, check for RPC-related errors.

• If encountering "RPC Server Unavailable (Error Code 6ba)", follow the troubleshooting guide here.

Step 3: Verify service account permissions  

To check the service account configured in ADAudit Plus:  

1. Go to Domain Settings.

2. Click the dropdown next to the domain name.

3. Select Modify Credentials.

• Grant necessary permissions:

1. Open Active Directory Users and Computers.

2. Navigate to Built-in > Event Log Readers.

3. Right-click Event Log Readers > Members > Add the configured service account

Step 4: Enable auditing for GPO objects on Domain Controllers.

• Enable auditing via Group Policy:

• Open Group Policy Management Console (GPMC).

• Navigate to: Default Domain Controllers Policy :

• Go to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration >DS Access

• Enable Success for Audit Process Creation and Audit Process Termination.

Step 5: Enable SACLs configured for the domain

Permission Set 1: Group Policy Container Permissions  

• Principal: Everyone

• Type: All

• Access Rights:

• Create groupPolicyContainer objects

• Delete groupPolicyContainer objects

• Applies To:

• This object and all descendant objects

Permission Set 2: Organizational unit permissions  

• Principal: Everyone

• Type: All

• Access Rights:

• Write all properties

• Delete objects

• Modify permissions

• Applies To:

• Descendant groupPolicyContainer objects

Step 6: Configure event log retention  

1. Open Group Policy Management Console (GPMC).

2. Navigate to the relevant policy: Default Domain Controllers Policy 

3. Go to Computer Configuration > Policies > Windows Settings > Security Settings > Event Log.

4. Set 'Retention method' for security log to Overwrite events as needed.

5. Set Maximum security log size to at least 4 GB.

6. Ensure logs retain a minimum of 12 hours of audit data.

Step 7: Check for stuck files in event data folder  

• If files are stuck in event data/raw or processed, contact ManageEngine Support for assistance.

Related topics and articles

https://www.manageengine.com/products/active-directory-audit/help/troubleshooting/event-collection-troubleshooting-general-errors.html  

How to reach support