In this article  

• Issue description

• Prerequisites

• Possible causes

• Resolution

• Related topics and articles

• When and how to reach support

Issue description    

The PowerShell auditing report in ADAudit Plus does not display any data, even though there has been activities within the domain. This issue can arise due to misconfigurations, missing prerequisites, or insufficient permissions for ADAudit Plus to collect the event logs.

Prerequisites

• Kindly make sure that ADAudit Plus Powershell auditing feature is enabled.

• Ensure that the required Audit policies are configure and applied to the server.

• Verify connectivity between ADAudit Plus and the monitored servers.

• Ensure necessary permissions are assigned to the configured service account.

Possible causes

• Servers not configured / data not collected This occurs when the required server for monitoring PowerShell activities has not been set up or is encountering errors that prevent event data retrieval.

• GPO misconfiguration Happens when the necessary audit policies are not applied to the servers where PowerShell activity auditing is intended.

• Event log retention This happens when the event is overwritten due to a low log retention size before it can be fetched..

• Insufficient permissions Arises when the service account configured in ADAudit Plus lacks the required privileges to retrieve event data from the designated servers.

• PowerShell auditing disabled When PowerShell auditing is turned off in ADAudit Plus, preventing event data collection.

• Unable to log events to security log (Event ID 521) Arises when the security event log is unable to log events.

Resolution

Step 1 Servers not configured / yet to fetch eventdata

• Servers Not Configured verify whether the domain controller or member server intended for PowerShell activity auditing has been configured in the product.

• Yet to fetch eventdata [Master data]

Step 2 GPO misconfiguration

verify and configure the required audit policies given below for Process Tracking auditing.

• For module logging

1. Remote into any one of the Domain controllers with domain admin credentials and open Group Policy Management Console (GPMC).

2. Open the GPMC and, based on your setup, edit the

1. Default Domain Controllers Policy to enable module logging on a DC.

2. ADAuditPlusMSPolicy to enable module logging on a Windows server.

3. In the Group Policy Management Editor, go to Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Powershell. Navigate to the right pane, and right-click on Turn on Module Logging > Enabled.

4. In the Options pane, click on Show. In the Module Names window, enter * to record all modules, and press OK.

• For script block logging

1. Remote into any one of the Domain controllers with domain admin credentials and open Group Policy Management Console (GPMC).

2. Open the GPMC and, based on your setup, edit the

1. Default Domain Controllers Policy to enable module logging on a DC.

2. ADAuditPlusMSPolicy to enable module logging on a Windows server.

3. In the Group Policy Management Editor, go to Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Powershell. Navigate to the right pane, and right-click on Turn on PowerShell Script Block Logging > Enabled.

Step 3 Event log retention

verify and configure the maximum log size for PowerShell logs to 150MB.

• Remote into any one of the Domain controllers with domain admin credentials and open Group Policy Management Console (GPMC).

• Open the GPMC and, based on your setup, edit the

1. Default Domain Controllers Policy to enable module logging on a DC.

2. ADAuditPlusMSPolicy to enable module logging on a Windows server.

• In the Group Policy Management Editor, go to Computer Configuration > Preferences > Windows Settings, and right-click Registry > New > Registry Item.

• In Action field of the New Registry Properties wizard, select Update from the drop-down. In the Hive field, select HKEY_LOCAL_MACHINE from the drop-down. In the Key Path field, enterSOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-PowerShell\Operational. In the Value name field, uncheck the box beside Default, and type in MaxSize. In the Value type field, select REG_DWORD from the drop-down. In the Value data field, type in 153616384. In the Base field, select Decimal, and then click Apply.

Insufficient Permissions

Ensure that the service account configured in ADAudit Plus has the necessary permissions, and grant any missing ones if required.

Step 4 Log collection failure follow the documentation for resolving either the Access Denied/RPC Service Unavailable to fix the log collection issues.

• Access denied
  
  https//www.manageengine.com/products/active-directory-audit/help/quickstart/privileges-required-for-ad-windows-server-workstation-audit.html
  

• RPC Service in unavailable
  Enable the following Inbound Rules on the target server

• Remote Event Log Management (NP-In)

• Remote Event Log Management (RPC)

• Remote Event Log Management (RPC-EPMAP)

• COM+ Network Access (DCOM-In)

To enable

• Open Windows Defender Firewall and navigate Advanced Security.

• Navigate to Inbound Rules.

• Locate and enable the required rules.

Step 5 PowerShell auditing disabled

Make sure PowerShell auditing is enabled in ADAudit Plus, as it is disabled by default.

• Login to the ADAudit Plus web console.

• Navigate to Support tab > Click on the More hyperlink under "Support info".

• Under Configuration, click on the "Enable/Disable Configuration Settings" dropdown.

• Enable Powershell Auditing.

• Open services.msc in the ADAudit Plus server > Restart the ManageEngine ADAudit Plus service.

Step 6 Unable to log events to security log (Event ID 521)

Since ADAudit Plus relies on Event Viewer, it simply retrieves the events logged there, which is why you're seeing a high number of Event ID 521 entries. The steps provided below are possible resolutions, but they may not fully resolve the issue. If the problem persists, we recommend further investigation with Microsoft's assistance.

• Possible Resolution Steps

1. Restart the Windows Event Log service.

2. Restart the affected server.

3. Check the security log retention settings to ensure the maximum log size is sufficient and configured to overwrite as needed.

If you receive the error "A security package specific error occurred,"

• be informed that it is a native error due to conflicting IP the same SPN's for multiple machines.  ensure that the corresponding domain controller that shows the error message has forward and reverse lookup entry in DNS.  

Related topics and KB's

• PoweShell auditing audit policy configuration guide
  https//www.manageengine.com/products/active-directory-audit/help/usecase/powershell-audit-configure-audit-policies-manually.html

• Configure event log settings
  https//www.manageengine.com/products/active-directory-audit/help/usecase/powershell-audit-configure-event-log-settings.html

• Unable to Log Events to Security Log (Event ID 521)
  Understanding Windows Security Log Event ID 521
  Microsoft's official help document which explains about 521 issue

When to contact support

• If all the necessary audit policies are applied and PowerShell activity events are visible in Event Viewer.

• When PowerShell auditing cannot be enabled in the ADAudit Plus web UI.

How to contact

• If the issue persists, contact our support team here.