In this article         

• Issue description

• Prerequisites

• Possible causes

• Resolution

• Related topics and articles

• When and how to contact Support

Issue description: This error occurs when the user account that runs ADAudit Plus does not have sufficient privileges to access the event logs or the ability to access the security logs of the target machine's Event Viewer.

Prerequisites

• Verify if the service account is configured in the Domain Settings page of ADAudit Plus.

• The account configured in ADAudit Plus should either be a part of the domain admins group or should have all the necessary privileges listed here.

Possible causes

• A service account is not configured in ADAudit Plus.

• The provided service account is not a part of the Domain Admins group in Active Directory.

• If domain admin rights cannot be given, the service account is not a part of the Event Log Readers group in Active Directory.

• The service account lacks additional permissions listed (i.e., manage auditing and security log rights).

• The GPO created for the service account is not applied properly on the workstations and member servers.

Resolution

Step 1: A service account is not configured in ADAudit Plus

To allow ADAudit Plus to collect events from the configured machine, an account with either domain admin privileges or a minimally privileged service account must be set up. Please verify that the account is properly configured in the ADAudit Plus user interface by following these steps.

• Log in to ADAudit Plus and navigate to the Domain Settings page.  

• Under the configured domain(s), click the domain drop-down and select Modify Credentials.

• In the Modify Credentials window, check the authentication box and add the user account in ADAudit Plus. If the account is already configured, please proceed with the other troubleshooting steps.

Step 2: The service account is not a part of the Domain Admins group

• Navigate to one of your domain controllers.

• Select Start > Run > type dsa.msc and hit Enter > double-click the service account associated with ADAudit Plus.

• Click the Member Of tab and add the group Domain Admins.

• Click Apply and see if log collection resumes.

Step 3: The service account is not a part of the Event Log Readers group

1. Adding the service account to the Event Log Readers group grants the permission to read event logs on a computer without requiring administrative privileges. If the account configured in ADAudit Plus cannot be added to the Domain Admins group, ensure that it is a part of the Event Log Readers group by following these steps.

• Remote into a server which has the Group Policy Management Console installed.

• Open the Group Policy Management Console > right-click the ADAudit Plus Permission GPO > Edit.

• Navigate to Computer Configuration > Preferences > Control Panel Settings.

• Right-click Local Users and Groups > New > Local Group.

• Select the Event Log Readers group > add the service account configured in ADAudit Plus.

Step 4: The service account lacks additional permissions listed

Adding a user account under the Manage auditing and security log rights option grants that user the ability to configure auditing policies and manage security logs. If the user account does not have the permission, please follow the steps below.

• Open the Group Policy Management Console.

• Right-click the ADAudit Plus Permission GPO > Edit.

• Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment.

• Right-click Manage Auditing and Security Log > Properties > add the ADAudit Plus user.

Step 5: The GPO created for the service account is not applied properly on the workstations and member servers

When creating a minimum privileged service account for ADAudit Plus, you will need to create a GPO to enforce the service account’s permissions across all monitored servers. Ensure that the policy is applied to all machines configured in ADAudit Plus.

1. To ensure the GPO is applied to the workstation:

• Logi n to the server or workstation which shows the access denied error message.

• Open an elevated Command Prompt, execute the command gpresult /r, and verify if the name of the GPO is listed under the applied GPOs.

• If the GPO is not applied, please follow the steps given below.

1. Verify if the machine is added to the GPO's security filtering:

• Open the Group Policy Management Console > click the respective Group Policy.

• In the right window, under Security Filtering, verify if the server or workstation is added. (The machine can be added explicitly or the OU that contains the machine can be added.)
  

2. If the machine is already added to the GPO, try enforcing the policy to make sure it is applied.

• Open the Group Policy Management Console > right-click the respective Group Policy.

• Click Enforce.
  
  
  
  

3. To force the GPO update, follow the steps below.

• Remote into the server which is showing the access denied error message.

• Open an elevated Command Prompt.

• Execute the following command: gpupdate /force. 
  
  
  

Related topics and articles

• https://www.manageengine.com/products/active-directory-audit/help/quickstart/privileges-required-for-ad-windows-server-workstation-audit.html

How to reach support

• If the issue persists, contact our support team here.