Troubleshooting

To verify if the desired audit policies and security log settings are configured:

  • Using domain admin credentials, log in to any computer that has the Group Policy Management Console (GPMC) on it. 
  • Open the GPMC, right-click on Group Policy Results, and select Group Policy Results Wizard. Select the computer, and then the user (current user).
  • Verify if the desired settings are configured.

To verify if the desired object-level auditing settings are configured:

Run through steps 1.1, 1.2, and 1.3 of this guide.

To verify if the desired events are getting logged:

  • Log in to any computer with domain admin credentials. 
  • Open Run, then type eventvwr.msc. Right-click on Event Viewer. 
  • Connect to the target computer, then verify if the below event IDs are getting logged under the Removable storage device category. 
    1. Event ID 4663: logs successful attempts to write to or read from a removable storage device. 
    2. Event ID 6416: logs removable device plugins.

View/edit audit actions for Removable Storage Audit

  • Log in to ADAudit Plus' web console → Configuration tab → Configuration → Advanced Configurations.
  • In the Category drop-down, select Removable Storage Audit and select the audit action you want to view/edit.

View/edit report profiles

  • Log in to ADAudit Plus' web console → Configuration tab → Report Profiles → View/Modify Report Profiles.
  • Choose your domain in the Domain drop-down. 
  • In the Category drop-down, select Removable Storage Audit, then select the report profile you want to view/edit.

我们的客户