Troubleshooting
To verify if the desired audit policies and security log settings are configured:
- Using domain admin credentials, log in to any computer that has the Group Policy Management Console (GPMC) on it.
- Open the GPMC, right-click on Group Policy Results, and select Group Policy Results Wizard. Select the computer, and then the user (current user).
- Verify if the desired settings are configured.
To verify if the desired object-level auditing settings are configured:
Run through steps 1.1, 1.2, and 1.3 of this guide.
To verify if the desired events are getting logged:
- Log in to any computer with domain admin credentials.
- Open Run, then type eventvwr.msc. Right-click on Event Viewer.
- Connect to the target computer, then verify if the below event IDs are getting logged under the Removable storage device category.
- Event ID 4663: logs successful attempts to write to or read from a removable storage device.
- Event ID 6416: logs removable device plugins.
View/edit audit actions for Removable Storage Audit
- Log in to ADAudit Plus' web console → Configuration tab → Configuration → Advanced Configurations.
- In the Category drop-down, select Removable Storage Audit and select the audit action you want to view/edit.
View/edit report profiles
- Log in to ADAudit Plus' web console → Configuration tab → Report Profiles → View/Modify Report Profiles.
- Choose your domain in the Domain drop-down.
- In the Category drop-down, select Removable Storage Audit, then select the report profile you want to view/edit.
