In This Article:  

• Issue Description

• Prerequisites

• Possible Causes

• Resolution

• Related Topics and Articles

• How to Reach Support

Issue description  

ADAudit Plus monitors and reports on the use of removable storage devices in a network, including USB flash drives, external hard drives, mobile phones, CDs, DVDs, micro-SD cards, WPD devices, etc. ADAudit Plus may fail to report on the USB and removable storage changes and display No Data Available text, and this is caused due to various reasons including the lack of auditing policies or log collection issues and more specifically, the lack of access to read the Security logs of the event viewer of the target machine.

Pre-requisites  

• The target machine should be reachable from the server where ADAudit Plus is installed.

• Required RPC ports (135, 49152-65535) are open bidirectionally or at least inbound on the target server.

• Confirm that the required audit policies Object Access and Detailed Tracking are enabled to track USB storage auditing events.

• Ensure the event log size and retention settings are sufficient to retain logs before collection in the Event Viewer.

• Verify that the ADAudit Plus service account has the necessary privileges for USB storage auditing auditing mentioned here.

Possible causes  

• ADAudit Plus may lack the necessary audit policies Object Access and Detailed Tracking to ensure that events are logged whenever any activity occurs.

• The required event IDs are not being captured on Windows servers and workstations.

• The HotPlugSecureOpe registry key may not be enabled.

• The specified search criteria for the required data may be incorrect.

• Unable to log events to the Security log (event id 521) arises when the security event log fails to log events.

• Log collection failure which might be due to Access Denied/RPC service unavailable error messages, preventing ADAudit Plus from collecting logs.

Resolution  

Step 1: Ensure Required Audit Policies are Enabled  

• Log in to a system with Group Policy Management Console (GPMC) using Domain Admin credentials.

• Start > Run > Open GPMC and navigate to

• Default Domain Controllers Policy (if managing domain accounts) or

• ADAuditPlusMSPolicy or ADAuditPlusWSPolicy or the respective audit policy applied on the respective workstation or the member server (for local logon-logoff auditing)

• Right-click the Policy and select Edit.

• Required Audit Policies

Step 2: Review if desired events are not getting logged  

1. Following the steps given below, verify if the audit events for removable storage are being logged in the Event Viewer.

• Log in to the machine with domain admin credentials in which you are trying to audit the USB activity.

• Open run, type eventvwr.msc.

• Open Event Viewer > Click on the Windows Logs dropdown > Right click on Security event logs and filter the below event IDs to verify if the events are being logged.

• Event ID 4663 logs successful attempts to write to or read from a removable storage device.

• Event id 6416 logs removable device plug-ins.

Step 3: Enable hotplugsecureope registry key  

1. Some Windows 10 operating systems require the registry key hkey_local_machine\system\currentcontrolset\control\storage\hotplugsecureopen to be set to 1.

2. In case, if the hotplugsecureopen key is not present (in Windows 11), create a key (dword) with hotplugsecureopen name and set it's value to 1.

3. Enable the registry entry for events to get logged.  

Step 4: Verify search criteria  

1. Click on the Server Audit tab > Removable Storage audit.

2. Choose the USB Storage Auditing reports and select the domain.

3. Set the period (Today, Yesterday, This week, This month). Define a custom period if needed.

4. Choose the required hours and select the objects for which you need the report.

Step 5: Event ID 521 (Unable to Log Events to Security Logs)  

1. ADAudit Plus requires events to be logged correctly in the Event Viewer. If Event ID 521 is generated, it indicates that the system has failed to log security events resulting in log collection failure. To increase the security log size in the Event Viewer

1. Open Event Viewer

2. Navigate to Windows Logs, open Security.

3. Check if the log size has reached its limit by checking the first event and the last event's timestamp. For example, if the first event is generated now and the last event has been generated five minutes before, then the logs are only retained for five minutes.

4. Increase the maximum log size to 4096MB or 4GB

2.  Windows event log service is not running 

3. Open Run (Win + R), type services.msc, and press Enter.

4. Locate the Windows Event Log service, ensure it is running and set to automatic.

5. If the service is stopped, right click and start the service

Step 6: Validate and Test the Event Log Retention Settings  

1. Ensure the maximum log size is set to at least 4GB.

1. Open Event Viewer

2. Navigate to Windows Logs, open Security.

3. Check if the log size has reached its limit.

4. Increase the maximum log size in GPMC as described in Step 2.

2. To achieve this via Group Policy

1. Open your Domain Controller > Start > run > GPMC.msc

2. Edit the <ADAuditPlusPolicy> GPO  Navigate to

3. Open Computer Configuration

4. Navigate to Policies

5. Click on Windows Settings

6. Open the Security Settings

7. Then open the Event Log

8. Navigate to the right pane, Right click on Retention method for security log, navigate to Properties, set Overwrite events as needed.

9. Navigate to the right pane, Right click on Maximum security log size, Define the size to hold 12 hours of data.

Note: To understand the required event log retention size and more information, click here

Step 7: Resolve log collection failures  

• Verify Network Connectivity

• Ping the target server from the ADAudit Plus server.

• To ping a server, open command prompt (Run -> CMD).

• Type ping server name -4

• Insufficient privileges to collect logs and specifically access denied

• Ensure that a service account is configured in ADAudit Plus.

• Login to ADAudit Plus and navigate to the domain settings page.  

• Under the configured domain(s), click on the domain dropdown and select modify credentials.

• In the Modify Domain Credentials window, check the authentication box and add the user account in ADAudit Plus. If the account is already configured, please proceed with the other troubleshooting steps.

• The service account is not a part of the domain admin group.

• Navigate to one of your domain controllers.

• Start > Run > dsa.msc > double click the service account associated with ADAudit Plus.

• Click the member of tab and add the group Domain admins.

• Click apply and see if the log collection resumes.

• The service account is not a part of the eventlog readers group.

• Remote into a server which has Group Policy Management Console installed.

• Open Group Policy Management Console  > Right-click on ADAudit Plus Permission GPO  > Edit.

• Navigate to Computer Configuration  > Preferences  > Control Panel Settings.

• Right-click Local Users and Groups  > New  > Local Group.

• Select Event Log Readers group  > Add the service account configured in ADAudit Plus.

Note: If you are still unable to resolve the Access Denied error message, please refer to our additional privileges documentation: Here

• Additional privileges that are required for member servers to collect event logs
  
  Adding users to Manage auditing and security log rights.

• Open Group Policy Management Console.

• Right-click on ADAudit Plus Permission GPO  > Edit.

• Navigate to Computer Configuration  > Policies  > Windows Settings  > Security Settings  > Local Policies  > User Rights Assignment.

• Right-click Manage Auditing and Security Log  > Properties  > Add "ADAudit Plus" user.

Grant "Read" permission over registry key

• Open Group Policy Management Console.

• Right-click ADAudit Plus permission gpo  > edit.

• Navigate to computer configuration > policies > windows settings > security settings.

• Right-click registry > add key.

• Navigate to machine  > system  > currentcontrolset  > services  > eventlog  > security.

• Click ok  > grant read permission to "ADAudit Plus" user  > click apply.

• In the add object window, select configure this key and replace existing permissions on all subkeys.

Privileges required for automatic audit policy and object-level auditing.

• Make the user a member of the Group Policy Creator Owners group.

• Open Active Directory Users and Computers.

• Navigate to Users  > Group Policy Creator Owners group  > Add "ADAudit Plus" user.

Grant group management permissions

• Open Active Directory Users and Computers.

• Enable Advanced Features.

• Right-click Users  > Properties  > Security  > Advanced  > Permissions  > Add "ADAudit Plus" user.

• Set Type Allow, Applies to This object and all descendant objects.

• Select permissions Create Group Objects and Delete Group Objects.

• Open Security  > Advanced  > Permissions again.

• Set Applies to Descendant Group Objects and select Write Members.

Note: Use clear all to remove all permissions and properties before selecting the mentioned property.

Note: If you are still unable to resolve the Access Denied error message, please refer to our additional privileges documentation: Here

• Fix Log Collection Failure (RPC Service Unavailable)  .

• Enable the following Inbound Rules on the target server.

• Open Windows Defender Firewall and navigate Advanced Security.

• Navigate to Inbound Rules.

• Locate and enable the below rules

• Remote Event Log Management (NP-In)

• Remote Event Log Management (RPC)

• Remote Event Log Management (RPC-EPMAP)

• COM+ Network Access (DCOM-In)

Note: For additional ports, external firewalls, or a centralized firewall, you must enable all the Mentioned ports from this guide.

Related topics and articles  

• How to configure Service Account for ADAudit Plus auditing

How to reach Support

• If the issue persists, contact our support team here.