Directory Services Advanced Auditing is not enabled

Copper Contributor

I have received this alert recently and have tried everything to enable auditing per the recommendation found here Configure Windows Event collection - Microsoft Defender for Identity | Microsoft Learn

 

The errors are getting in the security logs, but MS Defender for Identity continues to say there is a health issue.

 

Any ideas?

18 Replies

@MeatHeadPro 

It might be related to a bug we've seen in non-English operating systems.

Could this be the case in your environment as well?

I don't know? what is the bug?
I have fixed this in my 2012 R2 environment since last year.
I have followed the documentation and use the default domain controllers gpo policy. And once it has been applied to all my DCs, the health issue closed itself.

@MeatHeadPro 

The bug (not 100% sure yet) is that the health alert is firing on non-English operating systems (e.g. German) even when the auditing configuration is Ok.

Are your servers configured with a non EN locale?

@Martin_Schvartzman 

They are not, they are configured for US.

We're working on fixing this bug. I'll update this thread once I have more information.

@Martin_Schvartzmanis this bug also potentially related to the message, Directory Services Object Auditing is not configured as required? We are seeing both of these in our environment despite having configured the policy per the documentation. Thanks!

@Martin_Schvartzman I have a support case open regarding issue like this, OS and Active Directory in German. MS support have been bouncing my around departments for 6 days, I'm still waiting for someone who knows anything about MDI. I have tried to run your script test-MDIReadiness, but it fails with an error:

Compare-Object : Cannot bind argument to parameter 'DifferenceObject' because it is null.
At C:\Temp\Test-MdiReadiness.ps1:417 char:55
+ $isAdvancedAuditingOk = $null -eq (Compare-Object @compareParams)
+ ~~~~~~~~~~~~~~
+ CategoryInfo : InvalidData: (:) [Compare-Object], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Microsoft.PowerShell.Commands.CompareObjectCommand

@Arngrimur Magnusson @MichaelDow @MeatHeadPro 

We found a couple of bugs in the detection logic for this health alert.

One (as mentioned above) for non-English operating systems, and another for domain schemas earlier than 87.

These are fixed as part of v2.201 that should be rolled out starting next week.

@MeatHeadPro 

I apologize, the fix (non-English operating systems, and schemas earlier than 87) in v2.201 is for the Directory Services Object Auditing health alert, and not for the Directory Services Advanced Auditing health alert as you initially reported.

Could you please open a support ticket and share more details on the problem you are facing?

 

@Arngrimur Magnusson @MichaelDow FYI

Hello @Martin_Schvartzman!

Since activating these rules we're seeing 20GB/Logfiles per DC-server, why? It's an insane amount of data.

MattiasB3_0-1681207282494.png

 

@Arngrimur Magnusson 

I updated the script. Please let me know if the issue persists.

@MattiasB3 

The auditing configuration we require shouldn't be causing that.

Please make sure you followed the documentation to enable only the required auditing settings and didn't select all categories for success and failure for the Advanced Auditing nor all the object types and all permissions (List contents, Read all properties and Read permissions should be unchecked) in Object Auditing.

 

The issue was fixed with MS support help.
Could you shed any light on the fix? I am going to re-check my customer's config, but I am confident it's correctly configured

@terryhugill can you share solution?

@Arngrimur Magnussoncould you elaborate on the solution please?

@TaurusTec The solution was to follow this guide here
https://learn.microsoft.com/en-us/defender-for-identity/configure-windows-event-collection#configure...

And in step 9.e. set permission to "Full control"