In this article         

• Issue description

• Possible causes

• Prerequisites

• Resolution

• Related topics and articles

• When and how to contact support

 Issue description 

The Local Account Management reports in ADAudit Plus display "No Data Available," preventing the monitoring and auditing of local user account changes. This issue may occur due to missing prerequisites, misconfigured audit policies, or insufficient permissions assigned to the service account.  

 Prerequisites 

• Ensure the monitored system is added and configured in ADAudit Plus.

• Verify that the ADAudit Plus service account has the necessary privileges for local account management auditing.

• Confirm that the required audit policies are enabled to track local account management events.

• Ensure the Event Log size is sufficient to retain logs before collection.

 Possible causes 

• Insufficient privileges The service account lacks the necessary permissions to collect event logs.

• Log Collection Failure Required RPC ports (135, dynamic ports 49152-65535) are open bidirectionally or at least inbound on the target server. Windows Firewall allows Remote Event Log Management and COM+ Network Access (DCOM-In).

• Event Log Retention Issue Security logs are being overwritten before ADAudit Plus can collect them.

• Unable to Log Events to Security Log (Event ID 521) Security log is full, event logging is disabled, or system audit policies are misconfigured.

• Audit Policies Not Enabled Local account management audit policies are not configured correctly.

 Resolution  

Insufficient privileges   

• Ensure that the service account configured in ADAudit Plus has the required privileges to collect and report File modification events. If the necessary permissions are not assigned, event logs may not be captured.

https//www.manageengine.com/products/active-directory-audit/help/quickstart/privileges-required-for-ad-windows-server-workstation-audit.html

Fix log collection failure (RPC Service Unavailable)  

Ensure the required ports are enabled in the Firewall rules.

`The required ports are listed below

• COM+ Network Access (DCOM-In)

• • Remote Event Log Management( RPC)

• • Remote Event Log Management( NP-IN)

• • Remote Event Log Management( RPC-EPMAP)

To enable

• Open Windows Defender Firewall and navigate Advanced Security.

• Navigate to Inbound Rules.

• Locate and enable the required rules.

https//www.manageengine.com/products/active-directory-audit/help/quickstart/ports.html

Validate and test the event log retention settings  

• Ensure the maximum log size is set to at least 4GB.

• Open GPMC 

• Edit the <ADAuditPlusPolicy> GPO  Navigate to

• Open Computer Configuration

• Navigate to Policies

• Click on Windows Settings

• Open the Security Settings

• Then open the Event Log

• Navigate to the right pane, Right click on Retention method for security log navigate to Properties, set Overwrite events as needed.

• Navigate to the right pane, Right click on Maximum security log size, Define size to hold 12 hours of data.

https//www.manageengine.com/products/active-directory-audit/help/data-source/windows-server-audit-configure-event-log-settings.html

    Fix Event ID 521 (Unable to log events to security log)
Since ADAudit Plus relies on Event Viewer, it only retrieves the events logged there. If Event ID 521 appears, it indicates that the system failed to log security events.

 Possible causes 

 Security log full 

• Open Event Viewer

• Navigate to Windows Logs

• Security.

• Check if the log size has reached its limit.

• Increase the maximum log size in GPMC as described in Step 2.

 Event logging is disabled 

• Open Command Prompt as an Administrator.

• Run auditpol /get /category*

• Ensure that Audit Policy Change is enabled.

 Windows event log service not running 

• Open Run (Win + R), type services.msc, and press Enter.

• Locate Windows Event Log service, ensure it is running and set to Automatic.

For more details, refer to Microsoft's official documentation on Event ID 521.

 Ensure required audit policies are enabled
  For Event Viewer to capture account management events, audit policies must be enabled.

Steps to enable audit policies

1. Log in to a system with Group Policy Management Console (GPMC) using Domain Admin credentials.

2. Open GPMC and navigate to

• ADAuditPlusMSPolicy or ADAuditPlusWSPolicy (for local account auditing)

3. Right-click the policy and select Edit.

Required Audit Policies

https//www.manageengine.com/products/active-directory-audit/help/data-source/windows-server-audit-configure-audit-policies-manually.html

 Related topics & documentation 

• Steps to Enable Required Audit Policies

• Configuring Event Log Settings

• Understanding Windows Security Log Event ID 521

• Required privileges for service account configuredConfiguring

• Ports guide    

Related topics  

• General Event Collection Troubleshooting Event Collection Troubleshooting - General Errors

When and where to reach Support