Forum Discussion

Lutz Mueller-Hipper's avatar
Lutz Mueller-Hipper
Copper Contributor
Feb 08, 2023
Solved

Directory Services Object Auditing is not configured as required - Misconfigured item

Hi,   I get the error "Directory Services Object Auditing is not configured as required on contoso.com. Misconfigured items:". I was following the article linked in the message to configure auditin...
  • Kacper_Burdzy's avatar
    Kacper_Burdzy
    Feb 10, 2023

    Lutz Mueller-Hipper 

     

    Hi, have you tried logging into https://<your_workspace_name>.atp.azure.com
    As I can see, the older portal provides some extended information comparing to https://security.microsoft.com/. There is also information which part of Directory Services Object Auditing is misconfigured. 

    I had the same problem and also could not see any hint at security.microsoft.com

     

DLaudel-TechComm's avatar
DLaudel-TechComm
Copper Contributor
Mar 16, 2023

I'm encountering this in my AD as well. I was able to turn off the new portal redirect and get back to the atp.azure.com site. The error was displayed there:

 

Directory Services Object Auditing is not configured as required on domain.local. Misconfigured items:

Descendant msDS-GroupManagedServiceAccount Objects (Schema-Id-Guid: 7b8b558a-93a5-4af7-adca-c017e67f1057)

 

I followed all the steps outlined in the setup for Directory Services Object Auditing. Even went back and started fresh. Still the same error.

 

Eventually found the Test-MdiReadiness.ps1 (https://github.com/microsoft/Microsoft-Defender-for-Identity/tree/main/Test-MdiReadiness) and ran that. Looking at the detailed mdi-domain.json file it creates and searching for the Schema Id Guid above (7b8b558a-93a5-4af7-adca-c017e67f1057), I can see the Access Mask Details that are expected are 

"CreateChild, DeleteChild, Self, WriteProperty, DeleteTree, ExtendedRight, Delete, WriteDacl, WriteOwner", and the entry for this Guid only shows "
CreateChild, DeleteChild, Self, WriteProperty, DeleteTree, Delete, WriteDacl, WriteOwner".
 
From that, I guess that this "ExtendedRight" audit entry is not enabled for the msDS-groupManagedServiceAccount objects. However, looking at the audit entry using the method to set it up in the Defender for Identity docs, I dont' see any entry for "All extended rights" like shows on the User, Computer, and Groups objects. 

I'm at a loss of where to go from here. The health issue alerts every week and I can't find any way to stop it. 
thalpius's avatar
thalpius
Brass Contributor
Mar 17, 2023
I've cerated a GUI-based MDI checker which is more clear I think:
https://github.com/thalpius/Microsoft-Defender-for-Identity-Configuration-Checker

Please let me know if you need any more help.
  • LutzMH's avatar
    LutzMH
    Copper Contributor
    Mar 18, 2023

    I my case the "Control access" was not set after I added the object audit settings via ADUC.

    1- open ldp.exe, connect and bind to your domain, right mouse-click on the domain > Advanced > Security Descriptor, check SACL and hit OK.

    2- look for the SACL ACE you are interested in and double mouse-click

    3 - check permissions, set what is missing.

     

    thalpius , great tool! Thank you.

    • DLaudel-TechComm's avatar
      DLaudel-TechComm
      Copper Contributor
      Mar 20, 2023

      LutzMH 

       

      That's exactly the solution I needed. My object auditing settings are now passing the tests in the Test-MdiReadiness.ps1 script.

       

      Thank you!