ADChangeTracker reports the 'Change made by'
value for all AD objects' changes in the Active Directory. The ‘Change made
by’ is retrieved from the event log of the domain controller in which the change
is made. This feature is applicable for Windows Server 2008 or later
operating systems only.
The ‘Change made by’ field in the report may sometimes not
get reflected immediately after a change is observed in AD (will be empty/blank
in the report window). This may be due to a delay/failure in receiving the Event
subscription notification by the ADCT Service application. Click Refresh button
in the report window to refresh the ‘Change made by’ field.
If the ‘Change made by’ value continues to remain unavailable, please ensure the
following points in order to retrieve Change made by value successfully:
Select the ‘Use Security event log in DC to
retrieve additional Change data (Who & When)’
checkbox in the Add domain or Edit domain dialog.
Enable the Audit directory service access
Policy and set to success in Default Domain Controllers Policy
as shown below.
Select Write all properties, Delete, Delete subtree
and Create all child objects properties for the OU or domain
in which you wish to track changes as shown below.
Ensure that there is no Event flooding which may sometimes prevent the ADCT Service
application from receiving the subscribed events. For example, ensure that
Read all properties is not selected in object’s Auditing. Selecting this setting will
create a flurry of events in DC and will cause Event flooding.
Disable firewall protection to read event logs: Ensure that the target Domain Controller
is not protected by Windows firewall to read event logs by remote clients.
Ensure that the 'ADCT Listener Service' is running in the computer where AD Change
Tracker application is installed (can be verified in
How to view the subscription status of domain controllers?).