In this article:

• Issue description

• Possible causes

• Prerequisites

• Resolution

• Related topics and articles

• How to reach support

Issue description  

This issue occurs when ADAudit Plus is unable to collect logs related to policy changes auditing. This can be due to configuration issues, permission restrictions, or missing audit policies.

Prerequisites  

• Ensure the monitored server is added and configured in ADAudit Plus.

• The ADAudit Plus service account must have the necessary permissions to read security event logs.

• Required RPC ports (135, 49152-65535) must be open bidirectionally or at least inbound on the target server.

• Confirm that the required audit policies are enabled to track Policy Changes events.

• Ensure the event log size is set to at least 4GB to prevent log overwrites.

Possible causes  

1. Insufficient or incorrect audit policies: ADAudit Plus may lack the necessary audit policies to ensure that events are logged whenever any activity occurs.

2. Desired events are not getting logged: The required Event IDs are not being captured on Windows Domain Controllers, Windows servers, and workstations.

3. Incorrect search criteria: The specified search criteria for the required data may be incorrect.

4. Unable to log events to the security log (Event ID 521): Arises when the security event log fails to log events.

5. Log collection failure: This might be due to Access Denied/RPC service unavailable error messages, preventing ADAudit Plus from collecting logs.

Resolution

Step 1: Verify audit policy configuration

1. Log in to a system with Group Policy Management Console (GPMC) using Domain Admin credentials.

2. Open GPMC and navigate to:

• Default Domain Controllers Policy (if managing domain accounts)

• ADAuditPlusMSPolicy

3. Right-click the relevant policy > Edit > Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policy, and double-click the relevant policy setting.

4. Navigate to the right pane and right-click the relevant Subcategory, and then click Properties and select Success, Failure, or both, as directed below:

Step 2: Ensure desired events are logged  

1. Log in with domain admin credentials.

2. Open Event Viewer (eventvwr.msc) and navigate to Windows Logs > Security.

3. Verify that the following event IDs are present:

            Event ID 4719: Policy change events.
              Event ID 4718: User rights removed
              Event ID 4717: System audit policy was changed.

Step 3: Verify search criteria  

1. Click the Server Audit tab > Policy Changes.

2. Choose the Report and select the Domain.

3. Set the Period (e.g., Today, Yesterday, This Week, This Month). Define a custom period if needed.

4. Choose the required hours and select the objects for which you need the report.

 Step 4: Resolve Event ID 521: Failure to write events to the Security Log 

Since ADAudit Plus relies on Event Viewer, it retrieves events from there. A high number of Event ID 521 entries may indicate an issue with event logging.

1. Restart the Windows Event Log service.

2. Restart the affected server.

3. Check security log retention settings:

• Ensure the maximum log size is sufficient and set to overwrite as needed.

Step 5: Address log collection failures  

• Fix Access Denied/RPC Service Unavailable errors preventing log collection.

• Ensure RPC ports (135 and dynamic range 49152-65535) are open in the firewall.

If you receive the error A security package specific error occurred,   this is due to conflicting IP addresses with the same SPN for multiple machines. Ensure that:

1. The domain controller showing the error has forward and reverse lookup entries in DNS.

Related topics and articles

• Audit Policy Change

• Windows Event Log settings

• Service account configuration

When and how to contact support  

• If the No Data Available error persists after verifying configurations.

• If the report shows repeated failures or retrieval errors.

• If the dashboard continues to display incorrect or no data despite troubleshooting.

• If you suspect a bug in ADAudit Plus.