Forum Discussion
Directory Services Advanced Auditing is not enabled
Martin_Schvartzmanis this bug also potentially related to the message, Directory Services Object Auditing is not configured as required? We are seeing both of these in our environment despite having configured the policy per the documentation. Thanks!
Compare-Object : Cannot bind argument to parameter 'DifferenceObject' because it is null.
At C:\Temp\Test-MdiReadiness.ps1:417 char:55
+ $isAdvancedAuditingOk = $null -eq (Compare-Object @compareParams)
+ ~~~~~~~~~~~~~~
+ CategoryInfo : InvalidData: (:) [Compare-Object], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Microsoft.PowerShell.Commands.CompareObjectCommand
@TaurusTec Hi, how are you doing?
The solution described by @Arngrimur Magnusson solved the issue for your case? (Enabling the full controll on step 9.e from the official documentation https://learn.microsoft.com/en-us/defender-for-identity/deploy/configure-windows-event-collection#configure-domain-object-auditing ?)
- TaurusTec The solution was to follow this guide here
https://learn.microsoft.com/en-us/defender-for-identity/configure-windows-event-collection#configure-domain-object-auditing
And in step 9.e. set permission to "Full control" starman2hevencould you elaborate on the solution please?
terryhugill can you share solution?
- Could you shed any light on the fix? I am going to re-check my customer's config, but I am confident it's correctly configured
- The issue was fixed with MS support help.
- Martin_Schvartzman
Microsoft
The auditing configuration we require shouldn't be causing that.
Please make sure you followed the documentation to enable only the required auditing settings and didn't select all categories for success and failure for the Advanced Auditing nor all the object types and all permissions (List contents, Read all properties and Read permissions should be unchecked) in Object Auditing.
- Martin_Schvartzman
I updated the script. Please let me know if the issue persists.
Hello Martin_Schvartzman!
Since activating these rules we're seeing 20GB/Logfiles per DC-server, why? It's an insane amount of data.
- Martin_Schvartzman
I apologize, the fix (non-English operating systems, and schemas earlier than 87) in v2.201 is for the Directory Services Object Auditing health alert, and not for the Directory Services Advanced Auditing health alert as you initially reported.
Could you please open a support ticket and share more details on the problem you are facing?
- Martin_Schvartzman
starman2heven MichaelDow MeatHeadPro
We found a couple of bugs in the detection logic for this health alert.
One (as mentioned above) for non-English operating systems, and another for domain schemas earlier than 87.
These are fixed as part of v2.201 that should be rolled out starting next week.
