MSExchangeGuru.com

Learn Exchange the Guru way !!!

 

Active Directory: Where are my Audit Events?

Today I came across a new issue so I am sharing here to help you.

 

Here is the infrastructure details:

1 Root domain

1 Child domain

4 Windows 2008 R2 Domain controllers

2 mailbox servers in DAG

2 CAS+HT servers

 

Everything was working fine but someone delete a service account from the domain in the AD.

-We did authoritative restore which recovered this AD object but we needed to identify who and when deleted it. So we check the domain controllers but there was no event logging in the security log.

-So I started scanning GPO and found this issue below:

-Audit policy was configured at 2 places in 2 different GPOS.

  1. PolicesWindows settings Security SettingsLocal PolicyAudit Policy


 

        2. PolicesWindows settings Security SettingsAdvanced Audit ConfigurationAccount Management


 

-You can’t have both configurations in your environment which can cause a conflict and will not allow any of them to be applied. Microsoft has also mentioned here that using both advanced and basic audit policy settings can cause unexpected results. 

 

-So we removed the GPO configuration at PolicesWindows settings Security SettingsAdvanced Audit ConfigurationAccount Management

-We did the replication to all the DCs and AD Sites. But the security event were still not logging into the security logs.

-Where I ran auditpol /get /category:* it was coming no auditing where as it should have shown Success and Failure or Failure.


-I knew that somewhere we still have configuration left so checked the Sysvol for this GPO. When you will reach here you will GPOs are there with their Guid name.

-This means you need to search here by guid. To find the guid go to the Details and select with Unique id then search with this Guid.


 

-We found the GPO here and got an audit.csv file which is also mentioned here.

-Removed this file.

-Did the replication to all DCs.

-Ran Gpupdate /force on all DCs.

Bingo!!! Now Security log started logging in the event viewer.

If your issue still does not resolve then check the following locations as well for audit.csv

C:Windowssystem32grouppolicymachinemicrosoftwindows ntauditaudit.csv

C:Windowssecurity

 

 

Prabhat Nigam

Microsoft MVP | Exchange Server

Team@MSExchangeGuru

 


5 Responses to “Active Directory: Where are my Audit Events?”

  1. NeWay Technologies – Weekly Newsletter #140 – March 26, 2015 | NeWay Says:

    […] Active Directory: Where are my Audit Events? – 23-Mar-2015 […]

  2. NeWay Technologies – Weekly Newsletter #140 – March 27, 2015 | NeWay Says:

    […] Active Directory: Where are my Audit Events? – 23-Mar-2015 […]

  3. Igor Says:

    Hi!
    Is there any testing tool for communication between exchange server and AD? I’m starting to get annoying popup message every single day in users’s outlook. Also when I try to configure new outlook client I get popup message for autodiscover and when I logon everything is fine but I will get that popup after couple of hours. If there is any solution for this I will be very pleased!
    Thanks in advance!

  4. Prabhat Nigam Says:

    Share the popscreenshot.
    Do we have these users login to the domain?
    What are the authentications configured on your exchange for outlook anywhere?

  5. Igor Says:

    It is standard popup window for password (https://kurtsh.files.wordpress.com/2012/03/image37.png)
    I think is something about OAB authentication because problem start to appear after resolution of OAB issue what I got before. Now OAB is working fine, everyone can download the OAB but maybe something missing in authentication…

    This is my outlook anywhere properties.
    [PS] C:\>Get-OutlookAnywhere |fl

    RunspaceId : b19ccb9c-1cf4-43f4-aba7-4b146c18417c
    ServerName : servername
    SSLOffloading : False
    ExternalHostname : mail.contoso.com
    InternalHostname : mail.contoso.com
    ExternalClientAuthenticationMethod : Basic
    InternalClientAuthenticationMethod : Ntlm
    IISAuthenticationMethods : {Basic, Ntlm, Negotiate}
    XropUrl :
    ExternalClientsRequireSsl : True
    InternalClientsRequireSsl : True
    MetabasePath : IIS://servername.contoso.com/W3SVC/1/ROOT/Rpc
    Path : C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\rpc
    ExtendedProtectionTokenChecking : None
    ExtendedProtectionFlags : {}
    ExtendedProtectionSPNList : {}
    AdminDisplayVersion : Version 15.0 (Build 1076.9)
    Server : NDA-TC-WSRV10
    AdminDisplayName :
    ExchangeVersion : 0.20 (15.0.0.0)
    Name : Rpc (Default Web Site)
    DistinguishedName : CN=Rpc (Default Web Site),CN=HTTP,CN=Protocols,CN=servername,CN=Servers,CN=Exch
    ange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=contoso,CN=
    Microsoft Exchange,CN=Services,CN=Configuration,DC=contoso,DC=contoso,DC=com
    Identity : servername\Rpc (Default Web Site)
    Guid : f5badefa-a309-4d76-8604-c17199f37c36
    ObjectCategory : contoso.com/Configuration/Schema/ms-Exch-Rpc-Http-Virtual-Directory
    ObjectClass : {top, msExchVirtualDirectory, msExchRpcHttpVirtualDirectory}
    WhenChanged : 2015-03-27 00:33:10
    WhenCreated : 2015-03-12 14:19:44
    WhenChangedUTC : 2015-03-26 23:33:10
    WhenCreatedUTC : 2015-03-12 13:19:44
    OrganizationId :
    Id : servername\Rpc (Default Web Site)
    OriginatingServer : servername.contoso.com
    IsValid : True
    ObjectState : Changed

Leave a Reply

Categories

Archives

MSExchangeGuru.com