How to get the change made by value successfully?

ADChangeTracker reports the 'Change made by' value for all AD objects' changes in the Active Directory. The ‘Change made by’ is retrieved from the event log of the domain controller in which the change is made. This feature is applicable for Windows Server 2008 or later operating systems only.

The ‘Change made by’ field in the report may sometimes not get reflected immediately after a change is observed in AD (will be empty/blank in the report window). This may be due to a delay/failure in receiving the Event subscription notification by the ADCT Service application. Click Refresh button in the report window to refresh the ‘Change made by’ field.

If the ‘Change made by’ value continues to remain unavailable, please ensure the following points in order to retrieve Change made by value successfully:

  1. Select the Use Security event log in DC to retrieve additional Change data (Who & When) checkbox in the Add domain or Edit domain dialog.

  2. Enable the Audit directory service access Policy and set to success in Default Domain Controllers Policy as shown below.


  3. Select Write all properties, Delete, Delete subtree and Create all child objects properties for the OU or domain in which you wish to track changes as shown below.


  4. Ensure that there is no Event flooding which may sometimes prevent the ADCT Service application from receiving the subscribed events. For example, ensure that Read all properties is not selected in object’s Auditing. Selecting this setting will create a flurry of events in DC and will cause Event flooding.

  5. Disable firewall protection to read event logs: Ensure that the target Domain Controller is not protected by Windows firewall to read event logs by remote clients.

  6. Ensure that the 'ADCT Listener Service' is running in the computer where AD Change Tracker application is installed (can be verified in How to view the subscription status of domain controllers?).