3 Replies Latest reply on Feb 2, 2016 7:17 AM by Deltona

    UDT: User Logins, Event 4768 YES, Event 4769 NO

    dusk2dusk

      So everything appears to work, my Event Log Reader creds work, Solarwinds UDT loves my AD controllers, but I get no User Login info.  What is happening?  So I did the UDT Compatibility Checker for Users, (that's all I'm getting from my DC's, no WMI which should be fine).  I query my DC and I get a nice long list in the Live Log for Event 4768.  However, I get no 4769.  There's not enough info other than a 4769 is required and I don't know why?  How do I get 4769 to turn on in AD?  Did I miss something in group policy maybe?  I just can't figure it out and I feel so close to getting this working.  Please help

        • Re: UDT: User Logins, Event 4768 YES, Event 4769 NO
          dusk2dusk

          OK.  I have dug in further and the event 4769 is generated by active directory ONLY in the Advanced Security Audit Account login options and you choose to Audit Kerberos Service Tickets.   This is not on by default!!!  Audit Kerberos Service Ticket Operations

           

          There's no information from SW other than "4769 should be generated to correspond with 4768 within 20 seconds" blah blah blah.  But no, no it should not because AD does not have this option on by default.  I fail to see the purpose of 4769 when 4768 generates a login success and location/IP.  We have AD Audit from ManageEngine and it pulls just fine on 4768.  It is really frustrating having to dig into something that isn't properly documented too.  Please fix your Adminstrator's guide to actually detail the requirements, rather than "it should get 4769" when it isn't a default turned on feature of AD.  For me to turn this on my domain controllers now is going to be a major headache not to mention a massive increase in events.