In this article:  

• Issue description

• Prerequisites

• Possible causes

• Resolution

• Related topics and articles

• How to Reach Support

Issue description  

In ADAudit Plus, the LAPS Audit Profile provides insights into local administrator password read events, expiry changes, and other security-related activities within the Local Administrator Password Solution (LAPS) environment. However, in some cases, users may find that no data is available under the LAPS Audit Profile. This issue typically arises due to misconfigurations in auditing settings, insufficient privileges, or failures in processing event data. This document provides a structured approach to diagnosing and resolving the issue.

Prerequisites  

Before troubleshooting, ensure the following prerequisites are met:

• Domain controllers or servers that have LAPS installed must be added and configured in ADAudit Plus.

• Required ports and firewall rules are enabled to allow communication between Domain controllers and ADAudit Plus.

• The service account used in ADAudit Plus should be a member of the Event Log Readers group.

• Auditing should be enabled on the specific Domain Controller or server where LAPS is installed.

• The event log retention size should be at least 4 GB to prevent log overwrites.

• If only the Windows LAPS Password report shows no data, it may be due to using an outdated product version, as support for Windows LAPS is available only from build 8500 onward. 

Possible causes  

• Domain controllers not configured in ADAudit Plus – If the respective Domain Controllers that has LAPS installed are not configured, security logs will not be collected.

• Communication failure between ADAudit Plus and the Domain Controller – RPC-related errors may prevent event log retrieval.

• Service account lacks necessary permissions – The account must be a member of the Event Log Readers group.

• Insufficient event log size – Logs may be overwritten if the event log size is too small.

• Audit policies not enabled – Security audit policies must be properly configured to log events.

• Stuck files in event data/raw or processed directories – Log files may not be processed due to file processing issues.

• Outdated product version – Windows LAPS auditing is only available from build 8500 and above.

Resolution  

Step 1: Verify if LAPS installed Domain Controllers are configured in ADAudit Plus  

1. Navigate to Domain Settings in ADAudit Plus.

2. Confirm that the Domain Controllers (DCs) are configured.

• Note: Security logs do not replicate, so the LAPS Installed Domain Controllers must be configured in ADAudit Plus.

Step 2: Check for communication issues  

• If log collection fails, check for RPC-related errors.

• If encountering "RPC Server Unavailable (Error Code 6ba)", follow the troubleshooting guide.

Step 3: Verify service account permissions  

To Check the Service Account Configured in ADAudit Plus:  

1. Go to Domain Settings.

2. Click the dropdown next to the domain name.

3. Select Modify Credentials.

Grant necessary permissions:  

1. Open Active Directory Users and Computers.

2. Navigate to Built-in > Event Log Readers.

3. Right-click Event Log Readers > Members > Add the configured service account.

Step 4: Configure audit policies  

1. Log in to a computer with the Group Policy Management Console (GPMC) using Domain Admin credentials.

2. Open GPMC > Right-click Default Domain Controllers Policy > Edit.

3. In the Group Policy Management Editor, navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > DS Access.

4. Right-click the relevant Subcategory, click Properties, and configure the audit event as directed in the table below.

Step 5: Configure event log settings  

Event log size must be properly defined to prevent audit data loss due to overwritten events. To configure:

1. Log in to a computer with GPMC using Domain Admin credentials.

2. Open GPMC > Right-click Default Domain Controllers Policy > Edit.

3. Navigate to: Computer Configuration > Policies > Windows Settings > Security Settings > Event Log.

4. In the right pane, right-click Retention Method for Security Log > Properties > Select Overwrite events as needed.

5. In the right pane, right-click Maximum Security Log Size > Define size (Preferably 4 GB).

• Note: Ensure the security event log holds at least 12 hours of data.

Step 6: Check for stuck files in event data folder  

If files are stuck in event data/raw or processed, contact ManageEngine Support for assistance.

Step 7: Ensure ADAudit Plus product version is 8500 or higher  (Only for Windows LAPS auditing)

• Windows LAPS auditing has been introduced in ADAudit Plus from build 8500.

• Upgrade the product if the current version is lower.

Related topics and articles  

• Service Pack for ADAudit Plus

• Troubleshooting RPC Errors

How to reach support