In this article:  

• Issue description

• Prerequisites

• Possible causes

• Resolution

• How to reach support

• Related topics and articles

Issue description  

A new user account is created in Active Directory, but the action is not recorded or visible in any ADAudit Plus reports, preventing the tracking of new user creations.

Prerequisites  

• You must have administrator access to a domain controller within the target domain.

• You need administrator access to the ADAudit Plus web console.

• You must have access to the file system of the server where ADAudit Plus is installed.

Possible causes  

• The user creation event (event ID 4720) is not being generated on the domain controllers.

• The Audit User Account Management policy is not enabled in the Group Policy.

• The Users Created report profile is disabled in ADAudit Plus.

• Event data files are stuck in the processing queue on the ADAudit Plus server.

Resolution  

Follow these steps to diagnose and resolve the issue.

Step 1: Verify event generation on the domain controller  

First, confirm if the domain controller is generating the user creation event.

1. Log in to a domain controller from the respective domain.

2. Open Event Viewer.

3. Navigate to Windows Logs > Security.

4. Use the Filter Current Log option to search for event ID 4720. If you find events with this ID, it confirms that the server is generating the necessary audit data.

Step 2: Check the audit policy configuration  

If you do not find event ID 4720, check if the required audit policy is enabled.

1. On the domain controller, open Command Prompt in elevated mode.

2. Execute the command: auditpol /get /category:*

3. In the output, check if Account Management > Audit User Account Management is set to Success and Failure.

Step 3: Enable the audit policy (if not enabled)  

If the policy is not enabled, follow these steps to enable it.

1. Open the Group Policy Management Console by pressing Windows key + R, typing gpmc.msc, and clicking OK.

2. Navigate to and edit the Default domain controller policy GPO.

3. In the Group Policy Management Editor, go to Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Account Management.

4. Double-click the Audit User Account Management policy.

5. Check the Define these policy settings box and then check both the Success and Failure boxes. Click Apply and OK.

6. To apply the settings immediately, open an elevated Command Prompt and run the command gpupdate /force.

Step 4: Verify the report profile in ADAudit Plus  

If the audit policy is correctly configured but events are still not visible, check the ADAudit Plus configuration.

1. Log in to the ADAudit Plus web console as an administrator.

2. Navigate to the Configuration tab > Report Profiles > View/Modify Report Profiles.

3. Under the Category drop-down, choose Account Creation and ensure the Users Created profile is enabled.

Step 5: Check for stuck event data files  

If all configurations are correct, check for unprocessed files on the ADAudit Plus server.

1. Navigate to the installation directory of ADAudit Plus on the server.

2. Check for a large number of files stuck in the following folders:

• <home\ADAudit Plus\eventdata\processed>

• <home\ADAudit Plus\eventdata\raw>

• <home\ADAudit Plus\eventdata\processed_err>

How to reach support  

If the issue persists after following all the steps above, please contact the support team. Include screenshots of the Event Viewer logs, the audit policy configuration output, the report profile status, and the file counts in the eventdata folders to help expedite the resolution.

Related topics and articles  

• Configuring audit policies: Manual configuration