Notice: Due to size constraints and loading performance considerations, scripts referenced in blog posts are not attached directly. To request access, please complete the following form: Script Request Form Note: A Google account is required to access the form.
Disclaimer: I do not accept responsibility for any issues arising from scripts being run without adequate understanding. It is the user's responsibility to review and assess any code before execution. More information

Resolving “Directory Services Advanced Auditing is not enabled”

byartic6 -
0

When deploying Microsoft Defender for Identity sensors on domain controllers, you may encounter the health alert: "Directory Services Advanced Auditing is not enabled as required." This error indicates that your domain controllers aren't configured to generate the specific Windows event logs that Defender for Identity relies on for threat detection - this event is notifying you to a configuration problem.

What Defender for Identity Actually Requires

Based on Microsoft's official documentation, Defender for Identity requires specific Advanced Audit Policy configurations to capture critical security events. The sensor validates these configurations once daily and reports health issues when requirements aren't met.

Required Advanced Audit Policy Settings

The following audit policies must be configured exactly as shown:

Account Management:

  • Audit Computer Account Management: Success, Failure
  • Audit Distribution Group Management: Success, Failure
  • Audit Security Group Management: Success, Failure
  • Audit User Account Management: Success, Failure

DS Access:

  • Audit Detailed Directory Service Replication: Failure
  • Audit Directory Service Replication: Failure
  • Audit Directory Service Access: Success, Failure
  • Audit Directory Service Changes: Success, Failure

Object Access:

  • Audit File System: Success, Failure

Account Login

  • Audit Credential Validation: Success, Failure

System:

  • Audit Security System Extension: Success, Failure

These policies should be configured through Group Policy under: Computer Configuration → Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Audit Policies

That should look like this when configured correctly


Other Network Security Settings

You also need to configure the following setting as well, found under Security Options which include:

Network security: Restrict NTLM: Audit Incoming NTLM Traffic set to Enable auditing for all accounts
Network security: Restrict NTLM: Audit NTLM authentication in this domain set to  Enable all
Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers set to Audit all 

This should look like this when set correctly:


Validation Commands

You can verify these settings are applied using:

auditpol /get /subcategory:"Directory Service Access"
auditpol /get /subcategory:"Directory Service Changes"
auditpol /get /subcategory:"User Account Management"
auditpol /get /subcategory:"Security Group Management"
auditpol /get /subcategory:"Distribution Group Management"
auditpol /get /subcategory:"Computer Account Management"
auditpol /get /subcategory:"File System"
auditpol /get /subcategory:"Security System Extension"

Each should return the appropriate Success/Failure settings as listed above.

The Missing Piece: Active Directory Object Auditing

The most common cause of this error isn't the Advanced Audit Policy settings themselves - it's the lack of object-level auditing configuration on Active Directory objects.

Even with perfect audit policies, you won't see events like:

  • Event ID 5137 (Directory service object created)
  • Event ID 5138 (Directory service object undeleted)
  • Event ID 5139 (Directory service object moved)

These events require System Access Control Lists (SACLs) to be configured on Active Directory objects.

Configuring Active Directory Object Auditing

To generate the missing events, you need to configure auditing on the domain root:

  1. Open Active Directory Users and Computers
  2. Enable Advanced Features (View → Advanced Features)
  3. Right-click on the domain root (e.g., contoso.com)
  4. Properties → Security → Advanced → Auditing
  5. Add auditing entries for privileged groups

Recommended Security Groups for Auditing

Configure auditing for these specific privileged groups:

  • Enterprise Admins
  • Domain Admins
  • Account Operators

Configure these groups with Full Control auditing for both Success and Failure events, with inheritance enabled for This object and all descendant objects.

Confirm in the Defender Identity

If you wish to confirm this you can navigate to this URL  https://security.microsoft.com/securitysettings/identities then choose General>Sensor and you should see all the sensors healthy as below:


Conclusion

The "Directory Services Advanced Auditing is not enabled" from the Defender Sensor occurs when either the Advanced Audit Policies aren't configured correctly, or more commonly, when Active Directory object auditing isn't enabled on the domain root.

Both components are required:

  1. Advanced Audit Policies enable the audit categories
  2. I have found that some documentation does not cover the Account Login the correct version is here
  3. Active Directory object SACLs generate the actual events

Once properly configured, wait up to 10 minutes for the Defender for Identity sensor to detect the changes and clear the health alert.

ps : If you are really impatient, restart the Defender sensor update service that will restart both services for instant karma the sensor health department

Tags
Previous Post Next Post

نموذج الاتصال