Active Directory: Where are my Audit Events?
Today I came across a new issue so I am sharing here to help you.
Here is the infrastructure details:
1 Root domain
1 Child domain
4 Windows 2008 R2 Domain controllers
2 mailbox servers in DAG
2 CAS+HT servers
Everything was working fine but someone delete a service account from the domain in the AD.
-We did authoritative restore which recovered this AD object but we needed to identify who and when deleted it. So we check the domain controllers but there was no event logging in the security log.
-So I started scanning GPO and found this issue below:
-Audit policy was configured at 2 places in 2 different GPOS.
- PolicesWindows settings Security SettingsLocal PolicyAudit Policy
2. PolicesWindows settings Security SettingsAdvanced Audit ConfigurationAccount Management
-You can’t have both configurations in your environment which can cause a conflict and will not allow any of them to be applied. Microsoft has also mentioned here that using both advanced and basic audit policy settings can cause unexpected results.
-So we removed the GPO configuration at PolicesWindows settings Security SettingsAdvanced Audit ConfigurationAccount Management
-We did the replication to all the DCs and AD Sites. But the security event were still not logging into the security logs.
-Where I ran auditpol /get /category:* it was coming no auditing where as it should have shown Success and Failure or Failure.
-I knew that somewhere we still have configuration left so checked the Sysvol for this GPO. When you will reach here you will GPOs are there with their Guid name.
-This means you need to search here by guid. To find the guid go to the Details and select with Unique id then search with this Guid.
-We found the GPO here and got an audit.csv file which is also mentioned here.
-Removed this file.
-Did the replication to all DCs.
-Ran Gpupdate /force on all DCs.
Bingo!!! Now Security log started logging in the event viewer.
If your issue still does not resolve then check the following locations as well for audit.csv
Microsoft MVP | Exchange Server