What checks can be run to understand why LT Auditor+ is not auditing Active Directory/GPO Activity?
If LT Auditor+ is not auditing Active Directory activity here are checks that can be conducted to detect the problem.
- Check Advanced Auditing Policy settings for Group Policies defined on Domain Controllers (DC)
- Check the LT Auditor+ Active Directory Filter (ADA) policies for DC agents
- Ensure that all DC’s are being audited with LT Auditor+
- Check the size of the Windows Security Log on each of DC machines
Check Advanced Auditing Policy settings for DC Group Policies
- For guidelines to setup Advanced Auditing policies please refer to the document https://bluelance.com/wp-content/uploads/2015/03/LT-Auditor-Advanced-Auditing-Policies-Settings-.compressed.pdf
- To confirm that these policies are active, connect to DC machine, launch PowerShell or command prompt and run Auditpol /Get / Category:* and confirm that policies have been configured correctly.
- Additional confirmation can be determined by downloading and running the following PowerShell script on the DC. http://bldownloads.blob.core.windows.net/support/Advanced_Auditing.zip
- This script will create a test OU, User and Group and perform actions that should be collected with LT Auditor+. Prior to running the script please run the following command in the PowerShell window: Set-ExecutionPolicy Unrestricted. This will allow the script to be executed. After the script has run use the command Set-ExecutionPolicy Restricted to reset. Note: The script will not affect Active Directory. It will simple create some objects and clean itself out as it exits.
- After the script has run, you should be able to run LT Auditor+ reports showing this activity.
Checking LT Auditor+ Active Directory/GPO Policies
Ensure that all DC agent machines are assigned
- Open the LT Auditor+ Manager and access the Domain Controller group that contains the DC agent servers.
- Ensure that Last Rollup and Status columns and green. If any machine is not green highlight the server in question and double click the machine to get back the message stating the agent machine is assigned as shown below:
- If you see the message ‘It is not possible to connect’ this indicates that either the LT Auditor+ service is not running on the agent server or a firewall has blocked port 2877 for TCP/IP traffic required by LT Auditor+. In either of these cases no filter policy will get deployed and this issue will have to get resolved.
- If you see the message ‘Agent Status: Free Agent’ this indicates that the agent machine is not assigned to the LT Auditor+ Manager. This can happen if the agent machine was reimaged without being detached from the LT Auditor+ Manager. To resolve, please upgrade to HF1307. With HF1307 LT Auditor+ will automatically reassign a free agent with the double click operation performed in step 2 above.
Check if there are Active Directory and GPO filter policies
- Active Directory and GPO policies are defined by default. Please make sure these filter policies have not been disabled or modified. Please refer to https://bluelance.com/wp-content/uploads/2015/03/LT-Auditor-Configuration-Guide-2013.compressed.pdf for documentation to configure LT Auditor+ policies.
Ensure that all DC machines are audited with LT Auditor+
- Please validate that LT Auditor+ has been installed on all DCs to ensure no loss of audit data.
Check the size of the Windows Security Log
- Open the Event Viewer on the Windows server
- Highlight the Security Log, right click properties
- Please ensure that settings are set for ‘overwrite events as needed’ and that the maximum log size is over ate least 250MB as shown below: