In this article:  

• Issue description

• Prerequisites

• Possible causes

• Resolution

• Related topics and articles

• How to reach support

Issue description  

In ADAudit Plus, the User Logon Reports profile provides insights into domain controller-based authentication for user accounts, including logon success, logon failure, and in-depth logon failure analysis within the Active Directory environment. However, in some cases, users may find that no data is available under the User Logon Reports profile. This issue typically arises due to misconfigured auditing policies, insufficient permissions, or a failure in event log collection from Domain Controllers. This document provides a structured approach to diagnosing and resolving this issue.

Prerequisites  

Before troubleshooting, verify that the following prerequisites are met.

• All Domain Controllers (DCs) must be configured in ADAudit Plus.

• Required ports and firewall rules are enabled to allow communication between the Domain controller and ADAudit Plus.

• The service account used in ADAudit Plus should be a member of the Event Log Readers group.

• Auditing must be enabled on the Primary Domain Controller (PDC) and replicated to all required domain controllers.

• The Event Log retention size should be at least 4 GB to prevent log overwrites.

Possible Causes  

• The Domain Controller where the user authentication took place is not added or configured in ADAudit Plus.

• There is a communication failure between ADAudit Plus and the Domain Controller.

• The service account lacks necessary permissions to collect security event logs.

• Auditing is not enabled on the Domain Controller.

• The event log size is too small, causing logs to be overwritten.

• Files may be stuck in the event data/raw or processed directories of ADAudit Plus.

Resolution  

Step 1: Verify Domain Controller Configuration in ADAudit Plus  

1. Navigate to Domain Settings in ADAudit Plus.

2. Confirm that all Domain Controllers are properly configured.

Step 2: Check for Communication Issues  

1. If log collection fails, check for RPC-related errors.

2. If encountering "RPC Server Unavailable (Error Code 6ba)", follow the troubleshooting guide.

Step 3: Verify Service Account Permissions  

1. Check the Service Account Configured in ADAudit Plus:

• Go to Domain Settings.

• Click the dropdown next to the domain name.

• Select Modify Credentials.

2. Grant necessary permissions:

• Open Active Directory Users and Computers.

• Navigate to Built-in > Event Log Readers.

• Right-click Event Log Readers > Members > Add the configured service account.

Step 4: Enable Auditing for Computer Objects on Domain Controllers  

1. Verify Audit Kerberos Authentication Service audit policy under Account Logon:

• Open Command Prompt as Administrator and run:

• auditpol /get /category:*

• If disabled, proceed with the next steps.

2. Enable auditing via Group Policy:

• Open Group Policy Management Console (GPMC).

• Navigate to Default Domain Controllers Policy:

• Go to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Account Logon.

• Enable Success and Failure for Audit Kerberos Authentication Services.

Step 5: Configure Event Log Retention  

1. Open Group Policy Management Console (GPMC).

2. Navigate to Default Domain Controllers Policy:

• Go to Computer Configuration > Policies > Windows Settings > Security Settings > Event Log.

• Set 'Retention method' for security log to Overwrite events as needed.

• Set Maximum security log size to at least 4 GB.

• Ensure logs retain a minimum of 12 hours of audit data.

Step 6: Check for Stuck Files in Event Data Folder  

• If files are stuck in event data/raw or processed directories, contact ManageEngine Support for assistance.

Related Topics and Articles  

• Event Collection Troubleshooting - General Errors

How to Reach Support