In this article:

• Issue description

• Prerequisites

• Possible causes

• Resolution

• Related topics and articles

• How to contact support

Issue description  

This article provides troubleshooting guidance for scenarios where no data is displayed under Active Directory Lightweight Directory Services (AD LDS) Auditing reports in ADAudit Plus. It outlines potential causes, verification steps, and resolutions to ensure successful auditing and logging of AD LDS activities.

Prerequisites  

• The machine where AD LDS activities occur must be properly configured in ADAudit Plus.

• Ensure there is proper communication between the product server and the respective machine.

• The service account must have the necessary privileges assigned to prevent access denial errors.

• Audit policies required for logging AD LDS events must be enabled.

• The System Access Control List (SACL) must be properly configured on LDS objects.

• The LDS service account must have the Generate Security Audit privilege assigned.

• Ensure event log settings are correctly configured to prevent the overwriting of security logs.

Possible causes

• The machine where AD LDS activities take place is not configured in ADAudit Plus.

• There's no communication between the product server and the respective machine (RPC error).

• Required privileges are not assigned to the service account (Access Denied error).

• Encountering a security package-specific error.

• Group Policy settings are not correctly applied.

• SACL is not configured on LDS objects.

• The LDS service account lacks the Generate Security Audit privilege.

• Audit policies required for logging LDS events are not enabled.

• Event log settings are misconfigured, leading to overwriting of security logs.

Resolution  

Step 1. Ensuring all machines that carry out AD LDS activities are configured in ADAudit Plus  

1. Log in to ADAudit Plus.

2. Navigate to Domain Settings and confirm that all the DCs where AD LDS activities occur are properly configured.

3. Since the AD LDS role can also be enabled on a server, go to the Server Audit tab > Member Server and ensure that any servers hosting AD LDS activities are also configured.

Step 2. Ensuring communication from product server to respective machine  

• Follow the official documentation to open the necessary ports and firewall rules.

Step 3. Assigning required privileges to the service account  

1. Log in to the domain controller or a machine where Active Directory Users and Computers (ADUC) is accessible.

2. Click Built-in container and right-click the Event Log Readers group > Select Members.

3. Add the configured service account (used under Domain Settings in ADAudit Plus) to this group.

Step 4. A security package specific error occurred

This is a native error due to conflicting IPs or multiple machines having the same SPN.

Ensure that the corresponding domain controller has forward and reverse lookup entries in DNS.

Step 5. Configuring Group Policy for AD LDS auditing  

1. Log in to a system with Group Policy Management Console (GPMC) access using domain admin credentials.

2. Open GPMC (gpmc.msc).

3. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policy.

4. Locate and enable the following policy under DS access:

• Audit Directory Service Access - Success

• Audit Directory service changes - Success

5. Apply the Group Policy by running the following command in Command Prompt as administrator: gpupdate /force.

6. Verify applied policies using auditpol /get /category*.

Note: For domain-joined LDS servers, these policies can be configured at the Domain Level GPO. For specific LDS servers, configure the settings in Group Policy Editor by placing them in an organizational unit.

Step 6. Configuring SACLs for Directory Service Access Auditing  

If there are discrepancies in events logged within AD LDS reports, configure SACLs for Directory Service Access Auditing

1. Use LDP.exe to set SACLs

• Open LDP.exe and bind to the LDS instance using an account with administrative rights.

• Navigate to the target object within LDS.

• Right-click the object and select Advanced > Security Descriptor.

• Check the SACL box and click OK.

• Click Add ACE and configure:

• Trustee account (user/group to be monitored).

• Operations/attributes to audit (success/failure events).

• Propagation settings for child objects.

• Click OK and Update.

Note: If running Windows Server 2003 ADAM, it only generates DS-style audits (Event ID 566). Windows Server 2008 and above allows auditing of actual values written.

  Step 7. Assigning Generate Security Audit right to LDS service account   to seamlessly perform actions over LDS  

1. Log in to a system with Group Policy Management Console access using Domain Admin credentials.

2. Open GPMC (gpmc.msc).

• Navigate to Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment.

• Locate and configure Generate Security Audit. If LDS runs under Network Service or Local System, no changes are needed.

• If using a custom service account, manually assign this right to the service account.

Step 8. Configuring event log settings  

1. Open GPMC.

2. Navigate to

• Computer Configuration > Policies > Windows Settings > Security Settings > Event Log.

3. Configure

• Retention method for security logs Set to Overwrite events as needed.

• Set the maximum security log size to 4GB.

Note: Ensure that the Security Event Log holds a minimum of 12 hours of audit data to prevent loss of crucial logs.

Step 9. Handling stuck event data files  

• If files are stuck under <Installation_Directory>/ADAudit Plus/event data/raw or processed, contact ManageEngine support for further assistance.

Related topics and articles

• Know more about AD LDS

• General errors | Troubleshooting | ADAudit Plus

How to contact support