Forum Discussion
Directory Services Object Auditing is not configured as required - Misconfigured item
Hi,
I get the error "Directory Services Object Auditing is not configured as required on contoso.com. Misconfigured items:". I was following the article linked in the message to configure auditing AD. question A), should the message not include what is misconfigured, at least a hint?. question B) I do not see anything reported in the Microsoft.Tri.Sensor.log file, nor does a error log file exists. Any recommendation how to troubleshoot? (Windows 2012 R2, AD on 2012 R2 FFL and DFL, schema version 69) Thank you.
Hi, have you tried logging into https://<your_workspace_name>.atp.azure.com
As I can see, the older portal provides some extended information comparing to https://security.microsoft.com/. There is also information which part of Directory Services Object Auditing is misconfigured.I had the same problem and also could not see any hint at security.microsoft.com
7 Replies
I'm encountering this in my AD as well. I was able to turn off the new portal redirect and get back to the atp.azure.com site. The error was displayed there:
Directory Services Object Auditing is not configured as required on domain.local. Misconfigured items:
Descendant msDS-GroupManagedServiceAccount Objects (Schema-Id-Guid: 7b8b558a-93a5-4af7-adca-c017e67f1057)
I followed all the steps outlined in the setup for Directory Services Object Auditing. Even went back and started fresh. Still the same error.
Eventually found the Test-MdiReadiness.ps1 (https://github.com/microsoft/Microsoft-Defender-for-Identity/tree/main/Test-MdiReadiness) and ran that. Looking at the detailed mdi-domain.json file it creates and searching for the Schema Id Guid above (7b8b558a-93a5-4af7-adca-c017e67f1057), I can see the Access Mask Details that are expected are
"CreateChild, DeleteChild, Self, WriteProperty, DeleteTree, ExtendedRight, Delete, WriteDacl, WriteOwner", and the entry for this Guid only shows "CreateChild, DeleteChild, Self, WriteProperty, DeleteTree, Delete, WriteDacl, WriteOwner".From that, I guess that this "ExtendedRight" audit entry is not enabled for the msDS-groupManagedServiceAccount objects. However, looking at the audit entry using the method to set it up in the Defender for Identity docs, I dont' see any entry for "All extended rights" like shows on the User, Computer, and Groups objects.
I'm at a loss of where to go from here. The health issue alerts every week and I can't find any way to stop it.- I've cerated a GUI-based MDI checker which is more clear I think:
https://github.com/thalpius/Microsoft-Defender-for-Identity-Configuration-Checker
Please let me know if you need any more help.I my case the "Control access" was not set after I added the object audit settings via ADUC.
1- open ldp.exe, connect and bind to your domain, right mouse-click on the domain > Advanced > Security Descriptor, check SACL and hit OK.
2- look for the SACL ACE you are interested in and double mouse-click
3 - check permissions, set what is missing.
thalpius , great tool! Thank you.
Lutz Mueller-Hipper I to am having the same problem where health alerts are coming in with "Directory Services Object Auditing is not enabled as required". Sadly, the old ATP site is no longer working. I configured object auditing for every domain configuring Descendant User, Descendant Group, Descendant Computer, Descendant ManagedServiceAccount, and Descendant GroupManagedServiceAccount objects.
It is unfortunate they took the dedicated ATP site. The new security.microsoft.com is missing so much stuff as compared to the ATP site. Hopefully, someone stumbles on this thread and has the answer I need. I will keep hunting for the solution.
Thanks
Hi, have you tried logging into https://<your_workspace_name>.atp.azure.com
As I can see, the older portal provides some extended information comparing to https://security.microsoft.com/. There is also information which part of Directory Services Object Auditing is misconfigured.I had the same problem and also could not see any hint at security.microsoft.com
Thank you for the advice. It allowed me to find where the problem came from. For the user objects was the control access property in the SACL not set. Thank you!
