ManageEngine ADAudit Plus is a web-based, real-time, Windows Active Directory change auditing and reporting solution. Enterprises can audit the Windows AD, Windows file servers, Windows servers, Windows workstations, NetApp filers, EMC servers, printers, and removable storage devices.
At ADAudit Plus, we make the best effort to ship a product that is ready to go! Yet the Windows server environment includes a few configuration hurdles that our customer support are happy to solve when our customers and evaluators call. These are not issues per se but manual configurations that have gone wrong and need detailed configuration at a deeper level.
Let’s take a look at the top ADAudit Plus configuration failures and their solutions.
1. Providing proper privileges
ADAudit Plus instantly starts to audit when the user credential applied to the product is a “Domain Admin” account. When users do not want to provide a Domain Admin account, manually configure the permissions settings to provide the basic privileges required for the successful working of ADAudit Plus. In the case of an insufficient privilege account, the service will fail to collect the audit logs.
2. Security log size
ADAudit Plus periodically collects audit-data from the configured servers and stores the information in the database for reporting. To avoid data loss, we recommend the security log settings below:
Operating system of server | Role | Security log size (MB) | Security log retention |
Windows Server 2003 | Domain controller | 256 | Overwrite Events As Needed |
Windows Server 2008 and above | Domain controller | 1048 | Overwrite Events As Needed |
Windows Server 2003 | File server | 256 | Overwrite Events As Needed |
Windows Server 2008 and above | File server | 4194 | Overwrite Events As Needed |
Windows Server 2003 | Member server | 256 | Overwrite Events As Needed |
Windows Server 2008 and above | Member server | 1048 | Overwrite Events As Needed |
3a. Configuring audit policy & SACLs
Audit policies and SACLs must be configured in any Active Directory environment to ensure the relevant audit data are logged into the security logs of desired computers or domain controllers. ADAudit Plus stores the data and reports only from the audit policy enabled computers.
Active Directory: The “Default Domain Controllers policy” is to be configured for ADAudit Plus to provide audit reports on Active Directory changes logged in security logs of Domain Controllers. Next, the corresponding SACLs to audit the respective AD objects must be set. Audit Policy | SACLs
Windows file servers: ADAudit Plus requires a few settings to be set for a thorough audit of the file servers. The must be configured in the Group Policy object. This Group Policy object (GPO) must then be linked to all file servers that require audit. Last, the desired SACLs in the shared file objects must be set. Audit Policy | SACLs
Windows member servers: After configuring the GPO, it must be linked to all member servers that require audit. Audit Policy local logon | Audit Policy system events
File integrity monitoring: Audit critical changes to the configuration and application file systems (log, audit, text, exe, web, configuration and DB files) along with SACLs for in-depth auditing. Audit Policy | SACLs
NetApp filers: Audit the NetApp filers network attached storage (NAS) devices by configuring the required NetApp filer audit policy and SACLs. Audit Policy | SACLs
EMC servers: Auditing the EMC servers requires the corresponding GPO is configured and linked to all the EMC servers along with the required SACLs are set for a thorough auditing.Audit Policy | SACLs
Windows workstations: Auditing the logon and logoff of the user workstations can be done by configuring the required workstations audit policy. Audit Policy
3b. Configuring Advanced Audit Policy
Configuring the Advanced Audit Policy in Windows Server (2008 R2, Windows 7 and above) environments ensures only the required security logs for auditing are collected, guaranteeing the disk space does not fill fast with unwanted logs.
Domain controllers | Windows file servers | Windows member servers | Windows workstations
4. ADAudit Plus as a Service
Run ADAudit Plus as a service for uninterrupted security event logs collection and to process the data for audit reports and alerts.
Please follow the steps below to run ADAudit Plus as a Windows service.
- Stop ADAudit Plus (Start > All Programs > ADAudit Plus > Stop ADAudit Plus).
- Open the Command Prompt (Right Click > Run as administrator; In case of Windows Server 2008).
- Go to
ADAudit Plusbin. - Execute ‘InstallNTService.bat’.
- Open the Services.msc and locate ‘ManageEngine ADAudit Plus’ Service > Right click > Properties.
- Click on ‘Log on’ tab and select ‘This Account’ and provide the credential (If possible, use an Admin account).
- Start ManageEngine ADAudit Plus.
5. Disk space management
As events occur across domains and servers, the event logs get filled with data, that are processed for meaningful information (reports / forensics) and later archived (save disk space & for historical reporting); the disk space required to store the ever growing event log data is unique & depends on the number of domain controllers, file servers, workstations and more.
Disk space requirement
The hard disk requirements computation for Active Directory auditing and file server auditing are detailed in the document. The numbers are reached with a simple calculation based on the number of users, number of days, and the approximate size of an event log.
Disk space alerts
An administrator can configure a threshold value for free disk space. When the free space on the server goes below the threshold, an alert will be sent to the configured email address.
- Check size of ev_temp, temp folder and ensure it is empty or has very few files.
- Check logs folder size is not more than 1 GB.
6. Installing GPMC on ADAudit Plus machine
Group Policy Management Console (GPMC) is needed in the computer where ADAudit Plus is installed for successful “Advanced GPO Reports” generation. GPMC can be downloaded from the following link.
7. Full control on installation directory for ADAudit Plus user
ADAudit Plus requires the user installing the product to be have complete control over the product installation folders. This requirement ensures the user can successfully apply product license, to schedule reports, and archive data.
- Go to
ManageEngineADAudit Plus. - Right click on “ADAudit Plus” folder > Properties > Security tab > Edit the ACE >
- Add the logged on user / service account and provide “Full control.”.
We hope the above solutions answer your ADAudit Plus configuration questions. For assistance with the tips above or with any other configuration issue, please contact our ADAudit Plus Support. We look forward to assisting you, as always!
Thank you for choosing ADAudit Plus!
You Can Learn More About the ManageEngine Product Line By Going to manageengine.optrics.com
The original article/video can be found at Solutions from ADAudit Plus for Configuration Failures