In this article:  

• Issue description

• Prerequisites

• Possible causes

• Resolution

• Related topics and articles

• How to reach support

Issue description

In ADAudit Plus, the Permission Changes reports provide insights into modifications made to file and folder permissions, helping administrators track unauthorized access changes, ensure compliance, and enhance data security. These reports capture events related to permission assignments, removals, and modifications across monitored resources.

However, in some instances, users may find that no data is available under the Permission Changes reports. This issue typically arises due to misconfigured auditing policies, insufficient privileges, or a lack of necessary event logs from monitored file servers.

This document provides a structured approach to diagnosing and resolving issues related to missing data in the Permission Changes reports.

Prerequisites

• All the domain controllers must be added and configured in ADAudit Plus for auditing.

• Event collection should be happening successfully from all the configured domain controllers.

• Necessary audit policies need to be configured under Advanced Audit Policy > DS Access > Directory Services Changes > Success. Object-level auditing and security event log size need to be configured.

• Make sure the event log retention size is set to at least 4GB.

Possible causes

• Not all the domain controllers are configured in ADAudit Plus.

• There is no communication from the product server to the respective machine.

• The required privileges are not provided for the service account.

• Audit policy or object-level auditing might not be enabled.

• The event log size is too small.

• Files are stuck under the installation Directory/ADAudit Plus/event data/raw or processed.

Resolution  

Step 1: Verify if all the domain controllers are configured in ADAudit Plus  

• Navigate to the Domain Settings tab in ADAudit Plus.

• Confirm that all the domain controllers are configured.

Note: Security logs do not replicate, so it is essential to configure all domain controllers in ADAudit Plus.

Step 2: Check for communication issues  

• If log collection fails, check for RPC-related errors.

• If encountering the RPC Server Unavailable (Error Code 6ba) error, follow the troubleshooting guide here.

Step 3: Verify service account permissions  

To check the service account configured in ADAudit Plus:  

• Go to Domain Settings.

• Click the drop-down next to the domain name.

• Select Modify Credentials.

Grant necessary permissions

• Open Active Directory Users and Computers.

• Navigate to Built-in > Event Log Readers.

• Right-click Event Log Readers > Members > add the configured service account.

Step 4: Configure audit policies

• Log in to any computer that has the Group Policy Management Console (GPMC), with domain admin credentials > open GPMC > right-click Default Domain Controllers Policy > Edit.

• Open the Group Policy Management Editor > Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policy > double-click the relevant policy setting.

• Navigate to the right pane > right-click the relevant subcategory > click Properties > select Success, Failure, or both as directed in the document.

• Under the DS Access category, enable Directory Services Changes to Success.

Step 5: Configure object-level auditing (SACL)

Configure auditing for OUs, containers, GPOs, users, groups, computers, schemas, configuration, and DNS objects  .

• Log in to any computer that has Active Directory Users and Computers (ADUC) with domain admin credentials and open ADUC.

• Click View and ensure that Advanced Features is enabled. This will display the advanced security settings for selected objects in ADUC.

• Right-click Domain > Properties > Security > Advanced > Auditing > Add.

• In the Auditing Entry window, select a principal: Everyone > Type: Success. Select the appropriate permissions as directed in the table below.

Step 6: Configuring event log settings

Event log size needs to be defined to prevent audit data loss due to events getting overwritten. To configure event log size and retention settings, follow the steps outlined below:

• Log in to any computer that has the Group Policy Management Console (GPMC) with domain admin credentials. Open GPMC > right-click on Default Domain Controllers Policy > Edit.

• Open the Group Policy Management Editor > Computer Configuration > Policies > Windows Settings > Security Settings > Event Log.

• Navigate to the right pane > right-clickn Retention method for security log >  Properties > Overwrite events as needed.

• Navigate to the right pane > right-click Maximum security log size > Define size (preferably 4GB).

Note: Ensure the security event log holds a minimum of 12 hours of data.

• .

Step 7: Check for stuck files in the eventdata folder  

• If files are stuck in eventdata/raw or processed, contact ManageEngine support for assistance.

Related topics and articles  

• Event collection troubleshooting: General errors

 How to reach support