Error: "Your default domain audit settings may prevent the 'Who Changed' field from being reported correctly"

Email It to Me Print this Page
Symptoms
  • The Change Summary and the Netwrix Auditor System Health log (Netwrix Auditor log in 6.5 or warning.txt file in 5.0) contain the following warning message: "Your default domain audit settings may prevent the 'Who Changed'  field from being reported correctly".  
  • "Who Changed" field contains the "System" value.
Cause
Object-level Active Directory auditing settings are not configured for monitoring all possible changes made to Active Directory by any user. Therefore, product reports can contain the "System" value as a source of changes instead of an account name. 
 
Resolution
To monitor all possible changes made to Active Directory by any user, you must make sure that your Active Directory auditing settings are configured properly. To configure these settings, perform the following procedure on the problem domain controller(s): 
 
  1. Navigate to Start --> Programs --> Administrative Tools --> Active Directory Users and Computers. Click View and make sure thatt he Advanced Features mode is turned on.
  2. Right-click the root domain object, and select Properties.
  3. Navigate to Security tab, click Advanced. In the Advanced Security Settings dialog, select the Auditing tab.
  4. Do one of the following, depending on the OS:
    • Pre-Windows Server 2012 versions:
      1. Click Add.  In the Select user, Computer, Service account, or Group dialog, type  "Everyone" in the Enter the object name to select field.
      2. In the Audit Entry dialog that opens, set the "Successful" parameter for all access entries except the following: Full Control, List Contents, Read All Properties and Read Permissions.
      3. Make sure that the  Apply these auditing entries to objects and/or containers within this container only check-box is cleared. Also, make sure that the Apply onto parameter is set to "This object and all descendant objects".
    • Windows Server 2012:
      1. Click Add. In the Auditing Entry dialog, click the Select a principal link.
      2. In the Select user, Computer, Service account, or Group dialog, type "Everyone" in the Enter the object name to select field.
      3. Set Type to "Success" and Applies to to "This object and all descendant objects".
      4. Under Permissions, select all check-boxes except the following: Full Control, List Contents, Read All Properties and Read Permissions.
      5. Scroll to the bottom of the list and make sure that the Only apply these auditing settings to objects and/or containers within this container check-box is cleared.
Was this information helpful?