Active Directory: Where are my Audit Events?
Today I came across a new issue so I am sharing here to help you.
Here is the infrastructure details:
1 Root domain
1 Child domain
4 Windows 2008 R2 Domain controllers
2 mailbox servers in DAG
2 CAS+HT servers
Everything was working fine but someone delete a service account from the domain in the AD.
-We did authoritative restore which recovered this AD object but we needed to identify who and when deleted it. So we check the domain controllers but there was no event logging in the security log.
-So I started scanning GPO and found this issue below:
-Audit policy was configured at 2 places in 2 different GPOS.
- PolicesWindows settings Security SettingsLocal PolicyAudit Policy
2. PolicesWindows settings Security SettingsAdvanced Audit ConfigurationAccount Management
-You can’t have both configurations in your environment which can cause a conflict and will not allow any of them to be applied. Microsoft has also mentioned here that using both advanced and basic audit policy settings can cause unexpected results.
-So we removed the GPO configuration at PolicesWindows settings Security SettingsAdvanced Audit ConfigurationAccount Management
-We did the replication to all the DCs and AD Sites. But the security event were still not logging into the security logs.
-Where I ran auditpol /get /category:* it was coming no auditing where as it should have shown Success and Failure or Failure.
-I knew that somewhere we still have configuration left so checked the Sysvol for this GPO. When you will reach here you will GPOs are there with their Guid name.
-This means you need to search here by guid. To find the guid go to the Details and select with Unique id then search with this Guid.
-We found the GPO here and got an audit.csv file which is also mentioned here.
-Removed this file.
-Did the replication to all DCs.
-Ran Gpupdate /force on all DCs.
Bingo!!! Now Security log started logging in the event viewer.
If your issue still does not resolve then check the following locations as well for audit.csv
C:Windowssystem32grouppolicymachinemicrosoftwindows ntauditaudit.csv
C:Windowssecurity
Prabhat Nigam
Microsoft MVP | Exchange Server
Team@MSExchangeGuru
March 30th, 2015 at 12:01 am
[…] Active Directory: Where are my Audit Events? – 23-Mar-2015 […]
March 30th, 2015 at 12:03 am
[…] Active Directory: Where are my Audit Events? – 23-Mar-2015 […]
June 3rd, 2015 at 4:29 am
Hi!
Is there any testing tool for communication between exchange server and AD? I’m starting to get annoying popup message every single day in users’s outlook. Also when I try to configure new outlook client I get popup message for autodiscover and when I logon everything is fine but I will get that popup after couple of hours. If there is any solution for this I will be very pleased!
Thanks in advance!
June 3rd, 2015 at 9:35 am
Share the popscreenshot.
Do we have these users login to the domain?
What are the authentications configured on your exchange for outlook anywhere?
June 3rd, 2015 at 10:10 am
It is standard popup window for password (https://kurtsh.files.wordpress.com/2012/03/image37.png)
I think is something about OAB authentication because problem start to appear after resolution of OAB issue what I got before. Now OAB is working fine, everyone can download the OAB but maybe something missing in authentication…
This is my outlook anywhere properties.
[PS] C:\>Get-OutlookAnywhere |fl
RunspaceId : b19ccb9c-1cf4-43f4-aba7-4b146c18417c
ServerName : servername
SSLOffloading : False
ExternalHostname : mail.contoso.com
InternalHostname : mail.contoso.com
ExternalClientAuthenticationMethod : Basic
InternalClientAuthenticationMethod : Ntlm
IISAuthenticationMethods : {Basic, Ntlm, Negotiate}
XropUrl :
ExternalClientsRequireSsl : True
InternalClientsRequireSsl : True
MetabasePath : IIS://servername.contoso.com/W3SVC/1/ROOT/Rpc
Path : C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\rpc
ExtendedProtectionTokenChecking : None
ExtendedProtectionFlags : {}
ExtendedProtectionSPNList : {}
AdminDisplayVersion : Version 15.0 (Build 1076.9)
Server : NDA-TC-WSRV10
AdminDisplayName :
ExchangeVersion : 0.20 (15.0.0.0)
Name : Rpc (Default Web Site)
DistinguishedName : CN=Rpc (Default Web Site),CN=HTTP,CN=Protocols,CN=servername,CN=Servers,CN=Exch
ange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=contoso,CN=
Microsoft Exchange,CN=Services,CN=Configuration,DC=contoso,DC=contoso,DC=com
Identity : servername\Rpc (Default Web Site)
Guid : f5badefa-a309-4d76-8604-c17199f37c36
ObjectCategory : contoso.com/Configuration/Schema/ms-Exch-Rpc-Http-Virtual-Directory
ObjectClass : {top, msExchVirtualDirectory, msExchRpcHttpVirtualDirectory}
WhenChanged : 2015-03-27 00:33:10
WhenCreated : 2015-03-12 14:19:44
WhenChangedUTC : 2015-03-26 23:33:10
WhenCreatedUTC : 2015-03-12 13:19:44
OrganizationId :
Id : servername\Rpc (Default Web Site)
OriginatingServer : servername.contoso.com
IsValid : True
ObjectState : Changed