ManageEngine ADAudit Plus is a web-based, real-time Windows Active Directory (AD) change auditing and reporting solution. With ADAudit Plus, enterprises can audit AD, Windows file servers, Windows servers, Windows workstations, NetApp filers, EMC servers, printers, and removable storage devices.
At ADAudit Plus, we make the best effort to ship a product that is ready to go, however the Windows Server environment includes a few configuration hurdles that our customer support is happy to solve when our customers and evaluators call. These are not issues per se but manual configurations that have gone wrong and need detailed configuration at a deeper level.
Let’s take a look at the top ADAudit Plus configuration failures and their solutions.
1. Providing proper privileges
ADAudit Plus instantly starts to audit when the user credential applied to the product is a “Domain Admin” account. When users do not want to provide a Domain Admin account, manually configure the permissions settings to provide the basic privileges required for ADAudit Plus to function properly. In the case of an account with insufficient privileges, the service will fail to collect the audit logs.
2. Security log size
ADAudit Plus periodically collects audit-data from the configured servers and stores the information in the database for reporting. To avoid data loss, we recommend the security log settings below:
Operating system of server | Role | Security log size (MB) | Security log retention |
Windows Server 2003 | Domain controller | 256 | Overwrite events as needed |
Windows Server 2008 and above | Domain controller | 1048 | Overwrite events as needed |
Windows Server 2003 | File server | 256 | Overwrite events as needed |
Windows Server 2008 and above | File server | 4194 | Overwrite events as needed |
Windows Server 2003 | Member server | 256 | Overwrite events as needed |
Windows Server 2008 and above | Member server | 1048 | Overwrite events as needed |
3a. Configuring audit policies and SACLs
Audit policies and system access-control lists (SACLs) must be configured in any Active Directory environment to ensure the relevant audit data is logged into the security logs for the computers or domain controllers you want to audit. ADAudit Plus stores data and reports only from the computers for which audit policies have been enabled.
Active Directory: The “Default Domain Controllers policy” is to be configured for ADAudit Plus to provide audit reports on Active Directory changes logged in security logs of Domain Controllers. Next, the corresponding SACLs to audit the respective AD objects must be set. Audit Policy | SACLs
Windows file servers: ADAudit Plus requires a few settings to be configured for a thorough audit of the file servers. The settings must be configured in the Group Policy object. This Group Policy object (GPO) must then be linked to all file servers that require auditing. Finally, the desired SACLs in the shared file objects must be set. Audit policy | SACLs
Windows member servers: After configuring the GPO, it must be linked to all member servers that require auditing. Local logon audit policy | System event audit policies
File integrity monitoring: Audit critical changes to the configuration and application file systems (log, audit, text, EXE, web, configuration, and database files) along with SACLs for in-depth auditing. Audit policy | SACLs
NetApp filers: Audit the NetApp filers network attached storage (NAS) devices by configuring the required NetApp filer audit policy and SACLs. Audit policy | SACLs
EMC servers: Auditing EMC servers requires the corresponding GPO to be configured and linked to all the EMC servers and the required SACLs be set for thorough auditing. Audit policy | SACLs
Windows workstations: Auditing the logons and logoffs of the user workstations can be done by configuring the required workstations’ audit policies. Audit policy
3b. Configuring the Advanced Audit Policy
Configuring the Advanced Audit Policy in Windows Server (2008 R2, Windows 7, and above) environments ensures only the required security logs for auditing are collected, ensuring that disk space isn’t filled up with unwanted logs.
Domain controllers | Windows file servers | Windows member servers | Windows workstations
4. ADAudit Plus as a service
Run ADAudit Plus as a service for uninterrupted security event logs collection and to process the data for audit reports and alerts.
Please follow the steps below to run ADAudit Plus as a Windows service:
- Stop ADAudit Plus. Start > All Programs > ADAudit Plus > Stop ADAudit Plus.
- Open the Command Prompt. (Right-click Run as administrator for Windows Server 2008).
- Go to <Installation Folder>ADAudit Plus\bin.
- Execute InstallNTService.bat.
- Open the Services.msc and locate the ManageEngine ADAudit Plus service, and right-click Properties.
- Click the Log on tab, select This Account, and provide the credentials (if possible, use an Admin account).
- Start ADAudit Plus.
5. Disk space management
As events occur across domains and servers, the event logs get filled with data, which are processed for meaningful information (reports and forensics) and later archived (to save disk space and for historical reporting); the disk space required to store the ever growing event log data is unique to each organization and depends on the number of domain controllers, file servers, workstations, and more.
Disk space requirements
The hard disk requirements for Active Directory auditing and file server auditing are detailed in this document. The requirements are estimated using a simple calculation based on the number of users, number of days, and the approximate size of an event log.
Disk space alerts
An administrator can configure a threshold value for free disk space. When the free space on the server goes below the threshold, an alert will be sent to the configured email address.
- Check the size of ev_temp, the temp folder, and ensure it is empty or has very few files.
- Check that the logs folder size is not more than 1GB.
6. Installing GPMC on the ADAudit Plus machine
The Group Policy Management Console (GPMC) is needed in the computer where ADAudit Plus is installed to successfully generate advanced GPO reports. GPMC can be downloaded from the following link.
7. Full control on the installation directory for the ADAudit Plus user
ADAudit Plus requires the user installing the product to have complete control over the product installation folders. This requirement ensures the user can successfully apply product licenses, schedule reports, and archive data.
- Go to <Installation folder>\ManageEngine\ADAudit Plus.
- Right-click the ADAudit Plus folder > Properties > Security tab > Edit the ACE.
- Add the logged-on user or service account and provide Full control.
We hope the above solutions answer your ADAudit Plus configuration questions. For assistance with the tips above or with any other configuration issue, please contact our ADAudit Plus support team. We look forward to assisting you in any way we can.
Thank you for choosing ADAudit Plus!