Forum Discussion

MeatHeadPro's avatar
MeatHeadPro
Copper Contributor
Jan 20, 2023

Directory Services Advanced Auditing is not enabled

I have received this alert recently and have tried everything to enable auditing per the recommendation found here https://learn.microsoft.com/en-us/defender-for-identity/configure-windows-event-coll...
starman2heven's avatar
starman2heven
Brass Contributor
Mar 13, 2023
Martin_Schvartzman I have a support case open regarding issue like this, OS and Active Directory in German. MS support have been bouncing my around departments for 6 days, I'm still waiting for someone who knows anything about MDI. I have tried to run your script test-MDIReadiness, but it fails with an error:

Compare-Object : Cannot bind argument to parameter 'DifferenceObject' because it is null.
At C:\Temp\Test-MdiReadiness.ps1:417 char:55
+ $isAdvancedAuditingOk = $null -eq (Compare-Object @compareParams)
+ ~~~~~~~~~~~~~~
+ CategoryInfo : InvalidData: (:) [Compare-Object], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Microsoft.PowerShell.Commands.CompareObjectCommand
Martin_Schvartzman's avatar
Martin_Schvartzman
Icon for Microsoft rankMicrosoft
Mar 22, 2023

starman2heven MichaelDow MeatHeadPro 

We found a couple of bugs in the detection logic for this health alert.

One (as mentioned above) for non-English operating systems, and another for domain schemas earlier than 87.

These are fixed as part of v2.201 that should be rolled out starting next week.

  • arthurffdomingues's avatar
    arthurffdomingues
    Copper Contributor
    Jul 25, 2024

     

    @TaurusTec Hi, how are you doing?

     

    The solution described by @Arngrimur Magnusson solved the issue for your case? (Enabling the full controll on step 9.e from the official documentation https://learn.microsoft.com/en-us/defender-for-identity/deploy/configure-windows-event-collection#configure-domain-object-auditing ?)

     

  • starman2heven's avatar
    starman2heven
    Brass Contributor
    Dec 06, 2023
    TaurusTec The solution was to follow this guide here
    https://learn.microsoft.com/en-us/defender-for-identity/configure-windows-event-collection#configure-domain-object-auditing

    And in step 9.e. set permission to "Full control"
  • TaurusTec's avatar
    TaurusTec
    Brass Contributor
    Sep 08, 2023

    starman2hevencould you elaborate on the solution please?

  • terryhugill's avatar
    terryhugill
    Brass Contributor
    Jun 21, 2023
    Could you shed any light on the fix? I am going to re-check my customer's config, but I am confident it's correctly configured
  • starman2heven's avatar
    starman2heven
    Brass Contributor
    Apr 17, 2023
    The issue was fixed with MS support help.
  • Martin_Schvartzman's avatar
    Martin_Schvartzman
    Icon for Microsoft rankMicrosoft
    Apr 12, 2023

    MattiasB3 

    The auditing configuration we require shouldn't be causing that.

    Please make sure you followed the documentation to enable only the required auditing settings and didn't select all categories for success and failure for the Advanced Auditing nor all the object types and all permissions (List contents, Read all properties and Read permissions should be unchecked) in Object Auditing.

     

  • MattiasB3's avatar
    MattiasB3
    Copper Contributor
    Apr 11, 2023

    Hello Martin_Schvartzman!

    Since activating these rules we're seeing 20GB/Logfiles per DC-server, why? It's an insane amount of data.

     

  • Martin_Schvartzman's avatar
    Martin_Schvartzman
    Icon for Microsoft rankMicrosoft
    Mar 28, 2023

    MeatHeadPro 

    I apologize, the fix (non-English operating systems, and schemas earlier than 87) in v2.201 is for the Directory Services Object Auditing health alert, and not for the Directory Services Advanced Auditing health alert as you initially reported.

    Could you please open a support ticket and share more details on the problem you are facing?

     

    starman2heven MichaelDow FYI