ManageEngine ADAudit Plus is a web-based, real-time, Windows Active Directory change auditing and reporting solution. Enterprises can audit the Windows AD, Windows file servers, Windows servers, Windows workstations, NetApp filers, EMC servers, printers, and removable storage devices.

At ADAudit Plus, we make the best effort to ship a product that is ready to go! Yet the Windows server environment includes a few configuration hurdles that our customer support are happy to solve when our customers and evaluators call. These are not issues per se but manual configurations that have gone wrong and need detailed configuration at a deeper level.

Let’s take a look at the top ADAudit Plus configuration failures and their solutions.

1. Providing proper privileges

ADAudit Plus instantly starts to audit when the user credential applied to the product is a “Domain Admin” account. When users do not want to provide a Domain Admin account, manually configure the permissions settings to provide the basic privileges required for the successful working of ADAudit Plus. In the case of an insufficient privilege account, the service will fail to collect the audit logs.

2. Security log size

ADAudit Plus periodically collects audit-data from the configured servers and stores the information in the database for reporting. To avoid data loss, we recommend the security log settings below:

Operating system of server Role Security log size (MB) Security log retention
Windows Server 2003 Domain controller 256 Overwrite Events As Needed
Windows Server 2008 and above Domain controller 1048 Overwrite Events As Needed
Windows Server 2003 File server 256 Overwrite Events As Needed
Windows Server 2008 and above File server 4194 Overwrite Events As Needed
Windows Server 2003 Member server 256 Overwrite Events As Needed
Windows Server 2008 and above Member server 1048 Overwrite Events As Needed

3a. Configuring audit policy & SACLs

Audit policies and SACLs must be configured in any Active Directory environment to ensure the relevant audit data are logged into the security logs of desired computers or domain controllers. ADAudit Plus stores the data and reports only from the audit policy enabled computers.

Active Directory: The “Default Domain Controllers policy” is to be configured for ADAudit Plus to provide audit reports on Active Directory changes logged in security logs of Domain Controllers. Next, the corresponding SACLs to audit the respective AD objects must be set. Audit Policy | SACLs

Windows file servers: ADAudit Plus requires a few settings to be set for a thorough audit of the file servers. The must be configured in the Group Policy object. This Group Policy object (GPO) must then be linked to all file servers that require audit. Last, the desired SACLs in the shared file objects must be set. Audit Policy | SACLs

Windows member servers: After configuring the GPO, it must be linked to all member servers that require audit. Audit Policy local logon | Audit Policy system events

File integrity monitoring: Audit critical changes to the configuration and application file systems (log, audit, text, exe, web, configuration and DB files) along with SACLs for in-depth auditing. Audit Policy | SACLs

NetApp filers: Audit the NetApp filers network attached storage (NAS) devices by configuring the required NetApp filer audit policy and SACLs. Audit Policy | SACLs

EMC servers: Auditing the EMC servers requires the corresponding GPO is configured and linked to all the EMC servers along with the required SACLs are set for a thorough auditing.Audit Policy | SACLs

Windows workstations: Auditing the logon and logoff of the user workstations can be done by configuring the required workstations audit policy. Audit Policy

3b. Configuring Advanced Audit Policy

Configuring the Advanced Audit Policy in Windows Server (2008 R2, Windows 7 and above) environments ensures only the required security logs for auditing are collected, guaranteeing the disk space does not fill fast with unwanted logs.

Domain controllers | Windows file servers | Windows member servers | Windows workstations

4. ADAudit Plus as a Service

Run ADAudit Plus as a service for uninterrupted security event logs collection and to  process the data for audit reports and alerts.

Please follow the steps below to run ADAudit Plus as a Windows service.

  1. Stop ADAudit Plus (Start > All Programs > ADAudit Plus > Stop ADAudit Plus).
  2. Open the Command Prompt (Right Click > Run as administrator; In case of Windows Server 2008).
  3. Go to <Installation Folder>ADAudit Plus\bin.
  4. Execute ‘InstallNTService.bat’.
  5. Open the Services.msc and locate ‘ManageEngine ADAudit Plus’ Service > Right click > Properties.
  6. Click on ‘Log on’ tab and select ‘This Account’ and provide the credential (If possible, use an Admin account).
  7. Start ManageEngine ADAudit Plus.

5. Disk space management

As events occur across domains and servers, the event logs get filled with data, that are processed for meaningful information (reports / forensics) and later archived (save disk space & for historical reporting); the disk space required to store the ever growing event log data is unique & depends on the number of domain controllers, file servers, workstations and more.

Disk space requirement

The hard disk requirements computation for Active Directory auditing and file server auditing are detailed in the document. The numbers are reached with a simple calculation based on the number of users, number of days, and the approximate size of an event log.

Disk space alerts

An administrator can configure a threshold value for free disk space. When the free space on the server goes below the threshold, an alert will be sent to the configured email address.

  1. Check size of ev_temp, temp folder and ensure it is empty or has very few files.
  2. Check logs folder size is not more than 1 GB.

6. Installing GPMC on ADAudit Plus machine

Group Policy Management Console (GPMC) is needed in the computer where ADAudit Plus is installed for successful “Advanced GPO Reports” generation. GPMC can be downloaded from the following link.

7. Full control on installation directory for ADAudit Plus user

ADAudit Plus requires the user installing the product to be have complete control over the product installation folders. This requirement ensures the user can successfully apply product license, to schedule reports, and archive data.

  1. Go to <Installation folder>\ManageEngine\ADAudit Plus.
  2. Right click on “ADAudit Plus” folder > Properties > Security tab > Edit the ACE >
  3. Add the logged on user / service account and provide “Full control.”.

We hope the above solutions answer your ADAudit Plus configuration questions. For assistance with the tips above or with any other configuration issue, please contact our ADAudit Plus Support. We look forward to assisting you, as always!

Thank you for choosing ADAudit Plus!

Related posts: