In this article           :

• Issue description

• Prerequisites

• Possible causes

• Resolution

• Related topics and articles

• When and how to contact support

Issue description

This error occurs when the user account that runs ADAudit Plus does not have sufficient privileges to access the event logs of the configured domain controllers.

Prerequisites

• Verify if the service account is configured in the Domain Settings page of ADAudit Plus.

• The account configured in ADAudit Plus should either be a part of the Domain Admins group or have all the necessary privileges listed here.

Possible causes

• A service account is not configured in ADAudit Plus.

• The provided service account is not a part of the Domain Admins group in Active Directory.

• If domain admin rights cannot be given, the service account is not a part of the Event Log Readers group in Active Directory.

• The service account lacks additional permissions listed (i.e., manage auditing and security log rights).

• The GPO created for the service account is not applied properly on the domain controllers.

Resolution

Step 1: A service account is not configured in ADAudit Plus

To allow ADAudit Plus to collect events from the configured machine, an account with either domain admin privileges or a minimally privileged service account must be set up. Please verify that the account is properly configured in the ADAudit Plus user interface by following these steps.

• Log in to ADAudit Plus and navigate to the Domain Settings page.  

• Under the configured domain(s), click the domain drop-down and select Modify Credentials.

• In the Modify Credentials window, check the authentication box and add the user account in ADAudit Plus. If the account is already configured, please proceed with the other troubleshooting steps.

Step 2: The service account is not a part of the Domain Admins group

• Navigate to one of your domain controllers.

• Select Start > Run > type dsa.msc and hit Enter > double-click the service account associated with ADAudit Plus.

• Click the Members Of tab and add the group Domain Admins.

• Click Apply and see if log collection resumes.

Step 3: The service account is not a part of the Event Log Readers group

Adding the service account to the Event Log Readers group grants the permission to read event logs on a computer without requiring administrative privileges. If the account configured in ADAudit Plus cannot be added to the Domain Admins group, ensure that it is a part of the Event Log Readers group by following these steps.

• Log in to your domain controller with domain admin privileges.

• Open Active Directory Users and Computers > navigate to the Builtin container.

• Navigate to the right panel. Right-click Event Log Readers > Properties > Members.

• Add the ADAudit Plus service account and click Apply.

Step 4: The service account lacks additional permissions listed

Adding a user account under the Manage auditing and security log rights option grants that user the ability to configure auditing policies and manage security logs. If the user account does not have the permission, please follow the steps below.

• Log in to a domain controller with domain admin privileges > open the Group Policy Management Console > right-click the GPO created for ADAudit Plus' permission > click Edit.

• In the Group Policy Management Editor, click the computer configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment. 

• Navigate to the right panel and right-click Manage auditing and security log.

• Click Properties, add the ADAudit Plus service account, and click Apply.

Step 5: The GPO created for the service account is not applied properly on the domain controller

When creating a minimum privileged service account for ADAudit Plus, you will need to create a GPO to enforce the service account’s permissions across all monitored servers. Ensure that the policy is applied to all machines configured in ADAudit Plus.

To ensure the GPO is applied to the domain controller:

• Log in to the server or domain controller that's giving the access denied error message.

• Open an elevated Command Prompt, execute gpresult /r, and verify if the name of the GPO is listed under the applied GPOs.

If the GPO is not applied, please follow the steps given below.

Verify if the machine is added to the GPO's security filtering.

• Open the Group Policy Management Console > click the default domain controller policy or the respective Group Policy created for ADAudit Plus.

• In the right window, under Security Filtering, verify if the domain controller is added. (The machine can be added explicitly or the OU that contains the machine can be added.)
  
  

If the machine is already added to the GPO, try enforcing the policy to make sure it is applied.

• Open the Group Policy Management Console > right-click the respective Group Policy.

• Click Enforce.
  
  

To force the GPO update, follow the steps below.

• Remote into the server which is showing the access denied error message.

• Open an elevated Command Prompt.

• Execute the following command: gpupdate /force. 
  
  
  

Related topics and articles

• https://www.manageengine.com/products/active-directory-audit/help/quickstart/privileges-required-for-ad-windows-server-workstation-audit.html

How to reach support

• If the issue persists, contact our support team here.