Troubleshooting

To verify if the desired audit policies and security log settings are configured:

• Using domain admin credentials, log in to any computer that has the Group Policy Management Console (GPMC) on it.
• Open the GPMC, right-click on Group Policy Results, and select Group Policy Results Wizard. Select the computer, and then the user (current user).
• Verify if the desired settings are configured.

To verify if the desired object-level auditing settings are configured:

Check if object-level auditing is configured for the relevant Domain Controllers, Windows Servers and Workstations.

To verify if the desired events are getting logged:

• Log in to any computer with domain admin credentials.
• Open Run, then type eventvwr.msc. Right-click on Event Viewer.
• Connect to the target computer, then verify if the below event IDs are getting logged under the Removable storage device category.
  • Event ID 4663: logs successful attempts to write to or read from a removable storage device.
  • Event ID 6416: logs removable device plugins.

View/edit audit actions for Removable Storage Audit

• Log in to ADAudit Plus' web console → Configuration tab → Configuration → Advanced Configurations.
• In the Category drop-down, select Removable Storage Audit and select the audit action you want to view/edit.

View/edit report profiles

• Log in to ADAudit Plus' web console → Configuration tab → Report Profiles → View/Modify Report Profiles.
• Choose your domain in the Domain drop-down.
• In the Category drop-down, select Removable Storage Audit, then select the report profile you want to view/edit.