In this article:  

• Issue description

• Prerequisites

• Possible causes

• Resolution

• Related topics and articles

• When and how to reach support

Issue description  

In ADAudit Plus, the Other AD Object Reports profile provides insights into various Active Directory object modifications, including Password Settings Object changes, recently created/deleted/modified containers and contacts, container permission changes, and undeleted AD objects. However, in some instances, users may find that no data is available under these reports. This issue typically arises due to misconfigurations in auditing settings, insufficient privileges, or event data processing failures in ADAudit Plus. This document provides a structured approach to diagnosing and resolving this issue.

Prerequisites  

Before troubleshooting, ensure the following:

• All domain controllers are configured in ADAudit Plus.

• Required ports and firewall rules are enabled.

• Service account provided in ADAudit Plus is a member of the Event Log Readers group.

• Directory Service Changes audit policy and Object-level auditing are enabled.

• The event log retention size is configured to a minimum of 2 GB and should be adjusted based on the volume of log data generated in your environment.

Possible causes  

• Not all domain controllers are configured in ADAudit Plus.

• No communication from the product server to the respective machine due to firewall or network restrictions.

• The configured service account does not have the necessary permissions to access event logs.

• Directory Service Changes audit policy or object-level auditing is not enabled.

• The security event log size is too small, leading to event overwrites.

• Data processing issues due to files stuck under Installation Directory/ADAudit Plus/event data/raw or processed.

Resolution  

Step 1: Verify Domain Controllers configuration in ADAudit Plus  

1. Log in to ADAudit Plus Web Console.

2. Navigate to Domain Settings on the top right.

3. Ensure that all Domain Controllers (DCs) in your environment are listed and configured.

4. Additionally, you can click on Managed Domain Computer to view a comparison between the total number of servers in your Active Directory and the number of devices currently configured in ADAudit Plus for auditing. 

5. Note: Security logs do not replicate, so all Domain Controllers must be configured in ADAudit Plus.

Step 2: Check for communication issues  

1. If log collection fails, check for RPC-related errors.

2. If encountering RPC Server Unavailable Error Code 6ba, refer to the troubleshooting guide.

Step 3: Verify service account permissions  

1. Navigate to Domain Settings.

2. Click the dropdown next to the domain name.

3. Select Modify Credentials.

4. Ensure that an account is specified for authentication.

5. The account can be either a Domain Administrator or a service account with the necessary minimum privileges.

6. 

Step 4: Configure audit policies  

Enable directory service changes audit policy  

1. Log in to a machine with Group Policy Management Console (GPMC).

2. Open GPMC > Default Domain Controllers Policy > Edit.

3. Navigate to: Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policy.

4. Enable Audit Directory Service Changes.

Configure object-level auditing  

1. Open Active Directory Users and Computers (ADUC).

2. Click View > Enable Advanced Features.

3. Right-click Domain > Properties > Security > Advanced > Auditing > Add.

4. In the Auditing Entry window:

• Select Principal: Everyone.

• Type: Success.

• Select appropriate permissions for:

• Contacts

• Containers

• Password Settings Objects

Step 5: Configure event log size and retention  

1. Open GPMC > Default Domain Controllers Policy > Edit.

2. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Event Log.

3. Set Retention method for security log to Overwrite events as needed.

4. Set Maximum security log size to 2 GB.

5. Note: Ensure the security event log holds at least 12 hours of data.

Step 6: Check for stuck files in event data folder  

1. Navigate to Installation Directory/ADAudit Plus/event data/raw or processed.

2. If files are stuck, contact ManageEngine Support for assistance.

Related topics and articles  

• Configuring Audit Policies

• Troubleshooting Event Collection

• Configuring Object-Level Auditing

How to reach support  

If the issue persists, contact our support team here.