Support Center > Search Results > SecureKnowledge Details
Active Directory (AD) Query does not recognize Users Technical Level
  • AD Query does not recognize Users, although it is configured successfully.
  • "No AD Query" error message is displayed in SmartView Tracker.
  1. AD Query correlates users to IP Addresses by reading security Event Logs from the domain controllers. By default, the necessary events are logged. If the audit configuration was changed and the necessary events are not logged, AD Query will not be able to correlate users to IP addresses. To verify this, look for the necessary events on the Security Event Log on the domain controllers.

    The necessary events are:

    • Windows 2003 servers: 672, 673, 674
    • Windows 2008 servers: 4624, 4768, 4769, 4770.
    • Windows 2012 servers: 4624*, 4768*, 4769*, 4770*

    *4624: An account was successfully logged on.
    *4768: A Kerberos authentication ticket (TGT) was requested.
    *4769: A Kerberos service ticket was requested.
    *4770: A Kerberos service ticket was renewed.

    Note: see "Success Audit" logs for the above events. The AD server may be configured to only log failures.

  2. There has been Windows Management Instrumentation (WMI) related changes on the Domain Controller that require the WMI service to be restarted.

Note: To view this solution you need to Sign In .