In this article:  

• Issue description

• Prerequisites

• Possible causes

• Resolution

• How to reach support

• Related topics and articles

Issue description  

Newly created user accounts in Active Directory are not appearing in the Recently Created Users report in ADAudit Plus, indicating a gap in data collection.

Prerequisites  

• You must have administrator access to the ADAudit Plus web console.

• You need administrator access to your domain controllers to use Event Viewer, Group Policy Management Console, and Command Prompt.

• You must have access to the file system of the server where ADAudit Plus is installed.

Possible causes  

• The domain controllers are not correctly configured or reporting to ADAudit Plus.

• The required audit policy to generate user creation events (Event ID 4720) is not enabled on the domain controllers.

• The Security Event Log size is too small, causing critical events to be overwritten before they can be collected.

• Event data files are stuck in the processing queue on the ADAudit Plus server.

Resolution  

Follow these steps to diagnose and resolve the issue.

Step 1: Check Domain Controller configuration  

First, ensure that all domain controllers are properly configured within ADAudit Plus.

• Navigate to the Domain settings page and make sure all the DCs are properly configured and reporting.

Step 2: Check for Event ID 4720 on the domain controller  

Next, determine if the domain controller is generating the raw event that ADAudit Plus needs.

1. Log in to the domain controller in question.

2. Open Event Viewer.

3. Navigate to Windows Logs > Security.

4. From the Actions pane, select Filter Current Log.

5. In the filter window, enter 4720 into the event ID field and click OK.

6. Review the filtered events to see if you can find the record for the user creation.

Step 3: Analyze your findings  

Based on the results from the previous step, proceed with one of the following scenarios:

• Scenario A: Event 4720 is present

• If you can find Event ID 4720 in the DC's security log but it is not in ADAudit Plus, this points to a problem with event collection or processing. In this case, please proceed to the How to reach support section.

• Scenario B: Event 4720 is not present

• If you cannot find Event ID 4720 for the user that was created, it confirms that the required audit policy is not enabled. Proceed to the next step to enable the required policy.

Step 4: Verify and enable the required audit policy  

1. On the domain controller, open Command Prompt in elevated mode.

2. Execute the command auditpol /get /category:* and check the Account Management subcategory to confirm that Audit User Account Management is enabled for Success.

3. To enable the policy, open the Group Policy Management Console (GPMC) and edit the Default domain controller policy.

4. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Account Management.

5. Double-click the Audit User Account Management policy, check the Define these policy settings box, and then check the Success box.

6. Click Apply and OK.

7. Force an immediate policy update by running the command gpupdate /force in an elevated Command Prompt.

Step 5: Configure the Security Event Log size  

Ensure the security event log is large enough to hold events for a longer duration than the event fetch interval. This prevents audit data loss due to events being overwritten.

1. Log in to a computer that has the Group Policy Management Console (GPMC) with Domain Admin credentials.

2. Open GPMC, right-click on Default Domain Controllers Policy, and select Edit.

3. In the Group Policy Management Editor, navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Event Log.

4. In the right pane, right-click on Retention method for security log, select Properties, and choose Overwrite events as needed.

5. In the right pane, right-click on Maximum security log size and define an appropriate size.

6. Note: Ensure the security event log can hold a minimum of 12 hours of data.

Step 6: Check for stuck event files  

If you have enabled the audit policies and still do not see the event, you should check for unprocessed files on the ADAudit Plus server.

• RDP to the server where ADAudit Plus is installed and check if you have any new files generated or stuck in these folders:

• <Home>\ADAudit Plus\eventdata\raw

• <Home>\ADAudit Plus\eventdata\processed

• <Home>\ADAudit Plus\eventdata\processed_err

How to reach support  

If the issue persists after following all the steps, or if you found a matching Event 4720 in Step 2, please contact our support team for further assistance. Providing screenshots of your findings will help expedite the resolution.

Related topics and articles  

• How to configure Domain in ADAudit Plus