So everything appears to work, my Event Log Reader creds work, Solarwinds UDT loves my AD controllers, but I get no User Login info. What is happening? So I did the UDT Compatibility Checker for Users, (that's all I'm getting from my DC's, no WMI which should be fine). I query my DC and I get a nice long list in the Live Log for Event 4768. However, I get no 4769. There's not enough info other than a 4769 is required and I don't know why? How do I get 4769 to turn on in AD? Did I miss something in group policy maybe? I just can't figure it out and I feel so close to getting this working. Please help
OK. I have dug in further and the event 4769 is generated by active directory ONLY in the Advanced Security Audit Account login options and you choose to Audit Kerberos Service Tickets. This is not on by default!!! Audit Kerberos Service Ticket Operations
There's no information from SW other than "4769 should be generated to correspond with 4768 within 20 seconds" blah blah blah. But no, no it should not because AD does not have this option on by default. I fail to see the purpose of 4769 when 4768 generates a login success and location/IP. We have AD Audit from ManageEngine and it pulls just fine on 4768. It is really frustrating having to dig into something that isn't properly documented too. Please fix your Adminstrator's guide to actually detail the requirements, rather than "it should get 4769" when it isn't a default turned on feature of AD. For me to turn this on my domain controllers now is going to be a major headache not to mention a massive increase in events.
Latest Admin guide does not include details about Audit Kerberos Authentication Service and Audit Kerberos Service Ticket Operations policies.
Will you please followup with doc rep?
Default Domain Policy > Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Account Logon
SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 150,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process. Learn more today by joining now.