📄️ AAL test
Shows PowerShell test steps to validate Administrator Audit Logging connectivity from the Netwrix host to Exchange and how to troubleshoot the "Administrator Audit Logging is not configured" error.
📄️ Account lockout events for domain administrator ac
Explains why Netwrix Auditor may report "User Account Locked Out" for a domain administrator account that cannot actually be locked out, and why such events are included in reports and alerts.
📄️ Account lockouts are displayed with delay
Explains why account lockouts may appear with a delay in NetWrix Account Lockout Examiner and how to resolve the issue by monitoring all domain controllers and changing event processing settings.
📄️ Additional Audit Details: How it Works
Explains the additional audit details that Netwrix Auditor can collect—originating workstation and group membership—and lists the reports that include these details, plus configuration considerations for Security event log and Audit logon events.
📄️ Administrator Audit Logging (AAL) configuration de
Explains why and how to enable Administrator Audit Logging (AAL) on Exchange servers for Netwrix Auditor, including the required commands and details about excluded cmdlets.
📄️ An unknown file type or a file with a custom exten
Shows how to map a custom or incorrect file extension to a known content type so text extraction succeeds.
📄️ Archive Service is Busy Processing Activity Record
Explains why Netwrix Auditor displays "Archive Service is busy processing activity records" and provides troubleshooting steps for SQL Server and Long-Term Archive causes.
📄️ Audit Status shows "Logon auditing is disabled"
Explains why some Domain Controllers show "Logon Auditing is disabled" in Audit Status and how to resolve it by configuring audit or advanced audit policies or by disabling the audit status check.
📄️ Audit Trails Are Incorrect in Netwrix Auditor
This article explains how to resolve the "Audit trails are incorrect" error in Netwrix Auditor file server monitoring by correcting object-level auditing and inheritance settings on the file server.
📄️ Configure IIS Monitoring
This article provides step-by-step instructions on configuring Internet Information Services (IIS) events monitoring using Netwrix Auditor.
📄️ Auditing Distributed File Systems with Replication
Instructions to configure auditing for Distributed File Systems with replication (DFSR) in Netwrix Auditor, including prerequisites, SACL replication considerations, staging area sizing, and related resources.
📄️ Auditing of Configuration Container and Schema
Explains how to enable object-level auditing for the Configuration and Schema containers so the "Who Changed" field is reported correctly in Netwrix Auditor. Includes a link to detailed steps for Active Directory object-level auditing.
📄️ Auditor Glossary: Abbreviations and Acronyms
Glossary of abbreviations and acronyms used in Netwrix Auditor to help you understand folder/file structure and communicate with Technical Support.
📄️ Best Practices for Securing Netwrix Auditor
Best practices for securing Netwrix Auditor, covering host access, role management, service monitoring, Microsoft security tools, auditing of related systems, and offline backups of the Long-Term Archive.
📄️ Can I specify a group other than the Everyone group in the audit settings?
Explains whether you can specify a group other than the Everyone group in the audit settings and the implications for monitoring and event volume.
📄️ Change Data Collecting Account Password in Netwrix
Learn how to update the password for the data-collection account used by multiple monitoring plans in Netwrix Auditor.
📄️ Check TCP and UDP Ports Required
Shows how to use Microsoft PortQry and Windows tools to verify TCP, UDP, and dynamic ports required by Netwrix Auditor and troubleshoot port-related connection issues.
📄️ Clock Skew Is Too Great
Failed Kerberos logons reported as 'Clock skew is too great' occur when a workstation's clock differs from the domain controller by five or more minutes. This article explains how to verify and resynchronize time on the workstation and domain controller.
📄️ Data Classification services do not start
Troubleshoot Netwrix Data Classification services that fail to start due to credential or timeout issues and learn how to verify credentials and increase the Windows service startup timeout.
📄️ Data gathering task has not been scheduled
Collections show as Not Scheduled because Windows cannot create the required scheduled task. This article lists checks and steps to identify and resolve issues that block scheduled task creation on the Netwrix Auditor server.
📄️ Data Matcher Timeout
If Netwrix Data Classification reports show "No Data Found" with a DataMatchingWorker SQL timeout error, increase the SQLCommandTimeout in `DDCCoreSettings.xml` and restart the Netwrix Auditor DDC Provider service to allow the matching process to complete.
📄️ Difference between data stored in SQL versus the A
Explains where Netwrix Auditor stores collected data (SQL databases vs. the Audit Archive), retention recommendations, and how to import archived data back into SQL using Investigations.
📄️ Duplicate Configuration and Schema Changes for All
Explains why configuration and schema changes in an Active Directory forest generate change reports for all monitored domains and why the WHO field may show System in some reports. Describes Active Directory replication behavior and how Netwrix Auditor collects change and security events.
📄️ EMC Unity Auditing
Instructions to configure EMC Unity NAS Server and Netwrix Auditor to collect audit data using EMC native auditing technologies.
📄️ Events 4624 and 4634 Generated by Service Accounts
Explains why Netwrix Auditor service accounts generate Windows Security events 4624 and 4634 on domain controllers and why many logon/logoff events appear.
📄️ Fine Grained Policy and account expiration
Explains whether Netwrix Password Reset can limit reports to users with Fine Grained Policy settings and provides a workaround using two Managed Objects.
📄️ Given Key Was Not Present in the Dictionary — ADFS
After a Windows OS upgrade on an ADFS server, you may see "Failed to retrieve the state of windows feature. Reason: The given key was not present in the dictionary." This article explains how to diagnose the issue and restore the ServerComponentCache or Group Policy settings to resolve the error.
📄️ Group Policy Fake Changes
Explains why Group Policy changes may appear incorrectly in Netwrix Auditor and how to configure a single domain controller for Group Policy collection to avoid false changes.
📄️ Group Policy shows SID instead of settings
If your Group Policy Change report shows SIDs instead of readable settings, the collector may have used a domain controller that did not resolve SIDs. This article explains the cause and the logs to provide to Netwrix Technical Support to resolve the issue.
📄️ High CPU load and memory usage
Provides steps to reduce CPU and memory usage caused by the Account Lockout Examiner service by modifying registry keys and restarting the service.
📄️ High CPU usage on remote desktop servers
After installing Account Lockout Examiner (ALE), remote desktop servers can experience high CPU usage caused by the wmiprsve.exe process. This article explains why this happens and provides two registry-based workarounds to reduce CPU usage.
📄️ High memory usage even after the 'readlog' registr
Describes how to reduce high memory usage in Account Lockout Examiner after applying the readlog registry key by tuning registry settings and restarting the service.
📄️ How are collections handled after a network outage
Explains how Netwrix Auditor handles Active Directory data collections during a Netwrix server network outage or when Domain Controllers are offline, including behavior when Security Logs are overwritten.
📄️ How can I decrease number of events generated for Directory Service Access auditing?
You enabled Directory Service Access auditing and configured object-level auditing categories, but the Security event log fills quickly. This article explains how to reduce the number of events generated for Directory Service Access auditing by disabling unnecessary categories on the domain container.
📄️ How do I monitor hidden file shares?
Explains how to monitor hidden file shares (those ending with $) when using the Netwrix Auditor data source for Windows File Servers, including adding individual hidden shares and auditing all hidden shares via the Scope tab.
📄️ How do you specify a local administrator account t
Explains how to specify a local administrator account to obtain disk space information from computers that are not part of a domain. Describes installing Disk Space Monitor on a stand-alone PC and configuring it to monitor the local computer.
📄️ How Does Merging Logon Activity Events Work?
Explains how Netwrix Auditor merges similar Logon Activity events to reduce noise and how events are selected and prioritized during merging.
📄️ How does Netwrix Auditor for VMware work
Explains how Netwrix Auditor for VMware collects auditing events and inventory data, how often it runs, and how it uses the VMware EventHistoryCollector API to retrieve events from ESXi servers and vCenter.
📄️ How Netwrix Ensures Safety of Stored Credentials
Explains how Netwrix Auditor stores and protects data collection account credentials using Windows DPAPI (CryptoAPI), describing encryption, storage, decryption stages, and FAQs.
📄️ How the Network Traffic Compression Service Works
Explains how the Network Traffic Compression Service works on Domain Controllers and how to enable or override it using the agent.ini file to optimize data transfer to Netwrix Auditor.
📄️ How to Add Additional Space to Long-Term Archive
Learn how to add disk space to the Long-Term Archive used by Netwrix Auditor and how to decrease archive retention to free up space while preserving historical data when possible.
📄️ How to Audit a Non-Trusted Domain
Shows how to configure DNS and network settings so you can audit a remote domain that has no trust relationship with your primary domain using Netwrix Auditor.
📄️ How to Audit Another Domain with Netwrix Auditor
Explains how to audit domains different from the Netwrix Auditor host domain, including trusted and non-trusted domain scenarios and account requirements.
📄️ How to audit servers located in another subnet beh
Explains how to resolve RPC and Service Control Manager errors when auditing servers on different subnets by opening required firewall ports or configuring RPC dynamic port ranges.
📄️ How to Audit User Password Changes
Shows how to enable auditing of user password changes by editing the omitproplist.txt file to remove or comment out the *.PasswordChanged entry. Includes a note about reapplying the change after product upgrades and a tip for avoiding Access is Denied when saving.
📄️ How to automatically apply Office Classification L
Use taxonomy mappings or workflow actions to automatically apply Office Classification Labels to documents in SharePoint at the time of classification.
📄️ How to capture service traffic
Shows how to capture and debug HTTP traffic from Netwrix Data Classification services using Fiddler by configuring the machine.config to route service traffic through the Fiddler proxy.
📄️ How to change the Netwrix Data Classification Query Server URL
Shows how to change the Netwrix Data Classification Query Server URL from HTTP to HTTPS by updating the `conceptConfig.exe` configuration in the application and web service locations.
📄️ How to Check the Netwrix Auditor Health Status
Use the Health Status dashboard to monitor Netwrix Auditor components including activity records, monitoring plans, the Health Log, database statistics, Long Term Archive (LTA), and the Working Folder.
📄️ How to clear the sessions list in Netwrix Auditor?
Shows how to clear the sessions list in Netwrix Auditor by deleting the Sessions folder from the Audit Archive location.
📄️ How to count the number of your network devices in
Explains how to count the network devices that require licensing in your Netwrix Auditor configuration when using Syslog forwarding.
📄️ How to create a load balanced CEWS environment
Describes how to configure a basic load balanced environment for the Netwrix Data Classification CEWS so each server hosts both the Administration Interface (QS) and the Web Service Endpoint. Includes step-by-step actions and an example SharePoint configuration script.
📄️ How to create the full dump of a process
Describes how to create a full memory dump of a process using Process Explorer so you can provide it to Netwrix technical support.
📄️ How to delete old entries from the account list
Shows how to remove old account entries from the account list in Netwrix Auditor by using the UI or by editing the `alinfo.xml` file manually.
📄️ How to disable the Self-Audit feature in Netwrix A
Instructions to disable the Self-Audit feature in Netwrix Auditor so the program stops logging configuration changes such as creation or removal of monitoring plans.
📄️ How to Enable OCR for Non-English Images
Shows how to deploy Tesseract OCR language packs and configure OCR Path Mapping so Netwrix Data Classification processes non‑English images correctly.
📄️ How to Exclude Users and Objects from Monitoring S
Use the Netwrix Auditor UI to exclude specific users and objects from a monitoring scope. This article shows steps to configure the Users and Objects tabs in a monitoring plan and explains object exclusion rule syntax.
📄️ How to figure out where a user account was locked
Learn how to investigate where and why a user account was locked out using Netwrix Auditor, including reports to run, searches to perform, and how to enable auditing to trace failed logon sources.
📄️ How to Find Out My Netwrix Auditor Version
Instructions to determine the version and build of your Netwrix Auditor installation.
📄️ How to Find Video Recording Files
Shows where Netwrix Auditor stores User Activity video recording files and how to locate and copy the .avi files on disk.
📄️ How to Generate an Access Token for a DropBox Sour
Steps to generate an access token in Dropbox to use when adding a Dropbox source in Netwrix Data Classification.
📄️ How to Get Full Netwrix Auditor Version
Explains how to obtain a full Netwrix Auditor version and apply a license to convert a trial installation to a fully licensed instance.
📄️ How to Identify Whether Auditor Server Can Receive
Shows how to verify whether the Netwrix Auditor server can reach the Meraki API and how to troubleshoot an Event ID 6023 error caused by port or firewall issues.
📄️ How to import a list of server to be monitored in Disk Space Monitor?
Shows how to import a list of servers into Disk Space Monitor using the Configurator. The import file must be a plain text (`*.txt`) file with one server name per line.
📄️ How to improve document processing performance
This article explains how to tweak Netwrix Data Classification processing settings to maximize server resource usage and improve document processing throughput. It describes collector, indexer, classifier tuning, polling adjustments, and SQL host considerations.
📄️ How to manually enable advanced SQL tracing
Instructions to manually enable advanced SQL tracing by deploying the sqlcr stored procedures to the audited SQL Server using SQL Server Management Studio (SSMS).
📄️ How to Manually Remove Compression Services from A
Shows how to manually remove compression services from previously audited servers after you change the auditing scope for Windows Server Auditing or User Activity Auditing in Netwrix Auditor.
📄️ How to manually remove the Help-Desk Portal
Shows how to manually remove the Help-Desk Portal installed by NetWrix Account Lockout Examiner when uninstall via Programs and Features fails.
📄️ How to modify Index Processing Mode
Shows how to change the Index Processing Mode by running the cleaner and re-collecting the index from the administration web console. Follow the Initial Product Configuration wizard to select No Index, Keyword, or Compound Term processing modes.
📄️ How to modify the Activity Summary delivery schedu
Shows how to modify the Activity Summary delivery schedule in Netwrix Auditor, and explains considerations when increasing delivery frequency for plans with State in Time enabled.
📄️ How to Monitor Print Service Activity
Shows how to enable Windows Print Service event logging, create an inclusive filter in Netwrix Auditor Event Log Manager, and configure an RDL report to view print usage statistics.
📄️ How to Move Long-Term Archive to a New Location
Step-by-step instructions to move the Netwrix Auditor long-term archive (LTA) to a new location for versions 8.5 and newer, including service and task handling and ActivityRecords migration guidance.
📄️ How to Move Netwrix Auditor to the Cloud?
Step-by-step instructions to move an on-premises Netwrix Auditor installation to a VM hosted by a cloud service provider, including preparation, migration, licensing, and network considerations.
📄️ How to Omit Changes to Supported Encryption Type
Shows how to exclude changes to the Active Directory attribute "Supported Encryption Type" from reporting by Netwrix Auditor by adding the attribute to the omit properties list.
📄️ How to opt-out of the Netwrix Customer Experience
Shows how to opt out of the Netwrix Customer Experience Improvement Program in Netwrix Auditor.
📄️ How to Prevent Long-Term Archive Overflow
Learn how to prevent disk overflow on the drive that stores the Long-Term Archive by adjusting retention, moving the archive, or excluding data from monitoring scope.
📄️ How to Read Netwrix Auditor Logs
Learn where Netwrix Auditor stores its logs, how to read them, and how to prepare logs for Technical Support to troubleshoot collectors and services.
📄️ How to restrict access to the Help-Desk portal and
Explains how to restrict access by managing the Administrator and Help-Desk Operator roles and how to add or remove members from these roles in the Administrative Console and Help-Desk portal.
📄️ How to Send Netwrix Auditor Logs
Explains which Netwrix Auditor logs Technical Support may request and how to collect and upload them to a support ticket.
📄️ How to specify Dell EMC Unity server as a monitore
Shows how to specify a Dell EMC Unity server as a monitored item in Netwrix Auditor and what to consider when you use an IP address instead of the FQDN.
📄️ How to track Network interface changes on a server
Explains how to track network interface changes on a Windows server using Netwrix Auditor and lists the specific types of changes that are tracked. Includes links to installation and configuration guides.
📄️ How to Use Omit Lists
Lists omit lists used to filter data in Netwrix Auditor and provides the file locations and reference links for each supported data source.
📄️ How to View Custom Sensitive File Categories in Ne
Shows how to use custom sensitive file categories in the Sensitive Data Discovery module so Netwrix Auditor can generate reports using taxonomies from Netwrix Data Classification.
📄️ Daily User Changes in AD Groups
This article provides step-by-step instructions on how to obtain a daily list of users added or removed from any Active Directory group using Netwrix Auditor.
📄️ Hyperlinks in custom branding
Shows how to make the Support field in the custom branding feature an active hyperlink by using an HTML anchor tag in the Administrative Portal Branding settings.
📄️ Images Are not Shown
When the Web Portal displays red boxes instead of images, enable the IIS Static content feature. This article shows how to enable Static content on Windows 7 and Windows 2008 to restore image display.
📄️ Incorrecty Display Names in the "What Changed" col
Netwrix Auditor can log system-created SharePoint objects with their system names (for example, after enabling the Publishing feature), which can cause incorrect display names to appear in the "What" column of reports and Change Summaries.
📄️ Auditor Knowledge Base
Auditor knowledge base articles and troubleshooting guides
📄️ Investigations in Netwrix Auditor Take Too Long
Explains how to use CSVExportTool to export large datasets from the Long-Term Archive in Netwrix Auditor, enabling you to retrieve historical data more efficiently than the Investigations export.
📄️ Lockouts are not tracked
If some account lockout events are not tracked even though auditing and NetWrix Account Lockout Examiner settings are correct and the connection to the domain controller (DC) shows as OK, follow the steps to verify the Windows security log and adjust registry keys to enable proper tracking.
📄️ Log overwrites warnings
Explains causes and resolutions for "log overwrites" warnings reported by Netwrix Event Log Manager and provides procedures to increase event log size, configure GPO retention, enable archiving, and configure processing of archived logs.
📄️ Logon Failures in Multi-domain Environments
Explains why Netwrix Auditor service account logon attempts fail in multi-domain environments and provides steps to suppress or resolve these failures.
📄️ Logon Prompt Extension deployment problems
Instructions to enable GPO software installation logging to troubleshoot Logon Prompt Extension deployment failures and how to collect and submit the diagnostic log.
📄️ Logon Request Contained an Invalid Logon Type Valu
This article explains the cause of the "A logon request contained an invalid logon type value" error in Netwrix Auditor and shows how to resolve it by specifying the collecting account in the correct domain\\username format.
📄️ Logon Request Contained Invalid Logon Type Value i
Explains the causes and step-by-step resolution for the Health Log error "A logon request contained an invalid logon type value" in Netwrix Auditor, including how to verify data collecting account credentials and permissions.
📄️ Long Data Collection — Improving the Performance
Steps to improve Netwrix Auditor performance when data collection takes too long, including guidance on monitoring plans, hardware, network compression, database retention, antivirus exclusions, scope settings, and omit lists.
📄️ Malformed control request
Explains why Account Lockout Examiner returns "Malformed control request" when you send a remote control email and lists the required email structure to unlock accounts.
📄️ Managed Objects Disappear After Disk Space on Syst
If the system drive fills up, managed objects can disappear. Restore the NetwrixChangeReporterConfig.xml file from backup and open a support ticket with the pre-restore copy so Netwrix can investigate.
📄️ Mass Removal of Files Located on DFS Server
Explains why the Mass Data Removal from File Servers alert appears when files are removed and immediately replaced on a DFS server, and how upgrading resolves the issue.
📄️ Migrating Auditor to New Server
Step-by-step procedure to migrate a Netwrix Auditor instance to a new server, including exporting/importing configuration, moving the Long-Term Archive, and handling SQL databases.
📄️ Mimikatz Pass-the-Hash Activity on Netwrix Auditor
Explains why Mimikatz Pass-the-Hash activity may be detected on a Netwrix Auditor server and how to address these alerts, including impersonation and Secondary Logon Service requirements.
📄️ Navigating and Understanding a Netwrix Auditor Mon
Learn the layout and common configuration options of a Netwrix Auditor Monitoring Plan, including global settings, data source and item options, and best practices for optimal monitoring.
📄️ NDC Dashboard Failure
Troubleshoot when the NDC Dashboard fails to load due to IIS faults caused by the System Center Operations Manager (SCOM) 2016 agent. This article shows the relevant error messages and the recommended remediation steps.
📄️ NDC Page Status Codes
Lists all page status codes used by Netwrix Data Classification (NDC), including expected processing statuses (0–400) and error statuses (-1 to -999). Use this reference to interpret document states during the classification process.
📄️ Configuration Server Service Fails - Too Many Methods
Describes how to resolve 'Error 0x80040209: An interface has too many methods to fire events from' when the Netwrix Auditor Configuration Server Service fails to start and shows 'Access is denied'.
📄️ Netwrix Auditor Consumes Disk Space — Recommendati
Explains why Netwrix Auditor can consume a lot of disk space and provides detailed recommendations to reduce disk usage, move archives and working folders, and inspect page file and local DB usage.
📄️ Netwrix Auditor Health Log Contains EventID 2002
This article explains how to resolve EventID 2002 in the Netwrix Auditor health log caused by an invalid custom Data Collecting Account format. It shows how to provide a correctly formatted account name in the monitoring plan settings.
📄️ Netwrix Auditor Health Log Contains EventID 3230
Netwrix Auditor System Health Log may contain EventID 3230 for a SharePoint Online monitoring plan when a personal site collection is locked with a 'No access' status; this article explains the cause and provides a workaround to exclude such site collections from auditing.
📄️ Netwrix Auditor Licensing FAQs
Answers common questions about Netwrix Auditor licensing models, license counters, and how to count licensed objects for different data sources.
📄️ Netwrix Auditor Stops Working After Upgrading Host
Netwrix Auditor may stop working after upgrading the Windows version on the host server, disabling monitoring plans and showing the license status as Unavailable. This article explains the cause and provides steps to reapply or reinstall licenses for both paid/trial and Free Community Edition installations.
📄️ Netwrix Auditor System Health Log Contains EventID
Explains how to resolve Event ID 3127 and 3129 errors in the Netwrix Auditor System Health Log that cause a monitoring plan to stay in the Working status and prevent historical snapshots from importing.
📄️ No Data Collected in Linux Generic Syslog Monitori
Troubleshoot why no data is collected in a Linux Generic Syslog monitoring plan in Netwrix Auditor by checking port usage and verifying the target IP address in the add-on settings.xml.
📄️ No Monitoring Plans Found in Netwrix Auditor
Troubleshoot the "NO MONITORING PLANS FOUND" message in Netwrix Auditor reports, including causes and step-by-step resolutions to restore report availability.
📄️ Object type" and "What Changed" columns are empty
Explains why the "Object type" and "What Changed" columns can be empty in reports when the Remote Registry service on the target server is disabled or unreachable, and how to check service accessibility from the Netwrix host.
📄️ Odd characters in CSV File
Explains why a CSV file attachment in a summary report shows odd characters and how to import it correctly in Microsoft Excel.
📄️ Omit Folder Open events
Shows how to exclude the Folder Opened event type from Non-owner Mailbox Access reports generated by Netwrix Auditor.
📄️ Out of memory exception
You receive an Out of Memory Exception error in SQL Auditing for Netwrix Auditor. Increase the Netwrix server memory and contact Netwrix technical support to check for a newer build or version.
📄️ Preserving Custom Taxonomies
Describes how to export (backup) and import custom taxonomies in Netwrix Data Classification so you can protect them from SQL database loss and move them between instances.
📄️ Process Document Images results in no extracted te
Troubleshoot cases where images or documents produce no extracted text or invalid OCR text in Netwrix Data Classification and Netwrix Auditor by verifying OCR settings and image quality.
📄️ Reading log status
If a domain controller shows "Reading log" with a yellow exclamation in the NetWrix Account Lockout Examiner Console, the program cannot read lockout events from that controller. This article explains how to reset the readLog registry value to resolve the issue.
📄️ Response Action Example: Moving User Account to th
Shows how to configure a Netwrix Auditor alert response action to move a suspected Active Directory user account to a quarantine OU using a PowerShell script. The article includes prerequisites, the script, alert configuration, simulation steps, and verification.
📄️ Administrator Restricted Access
This article addresses the error message "Result: Administrator restricted access to users of your domain" encountered during the enrollment or password reset process on the Self-Service portal.
📄️ RIF document is not compatible with this code vers
Explains the "SQL Server Reporting Services is not up to date" pop-up and how to resolve it by installing CU2 or a later update for SQL Server 2012 SP1.
📄️ RBA Report Viewer Role Issue
This article addresses the issue of the RBA Report Viewer role not functioning with Vault and provides detailed instructions for resolution.
📄️ Search Takes Too Long to Complete
If search queries in Netwrix Auditor are slow to complete, narrow the search scope with filters and verify SQL Server resources and network bandwidth. This article lists recommended steps to optimize search queries.
📄️ Security Log Overwrites Occurred on This DC
Explains the cause and resolution for the "Security log overwrites occurred on this DC" message reported in daily Activity Summary emails or Netwrix Auditor Health Log.
📄️ Security log settings do not apply via GPO
When a Group Policy sets the maximum security event log size but the computer does not honor it, legacy registry settings may override the GPO. This article explains how to find the registry key and restore the policy behavior.
📄️ Set Up Direct Send for Netwrix Auditor and Netwrix
How to configure direct send via Microsoft 365 or Office 365 for Netwrix Auditor and Netwrix Data Classification, including prerequisites, SMTP settings, and SPF recommendations.
📄️ Slow examination
Explains causes and troubleshooting steps when Account Lockout Examiner examinations run for several hours without returning results.
📄️ Supplied Object Has Not Been Initialized for Inves
Explains causes and solutions for the "The Supplied object has not been initialized" error when running investigations in Netwrix Auditor. Provides steps to assign db_owner, verify investigation credentials, or rebuild the Netwrix_ImportDB database.
📄️ System Changed Client Operating System
Explains why Active Directory reports changes to Operating System attributes as made by System and how client restarts affect reporting.
📄️ System Changed Directory Objects for Foreign Secur
Explains why changes to Active Directory Foreign Security Principals appear as made by the System account and confirms this behavior is expected.
📄️ System Changed Object Path after Account Name Chan
Explains why Netwrix Auditor shows System in the WHO field for an Object Path change after an account name change and how the Canonical-Name attribute is involved.
📄️ System Changed Service Principle Name Attribute
Explains why changes to the Service Principle Name attribute may be reported as made by System or a user account, and how to exclude this attribute from auditing in Netwrix Auditor.
📄️ The conceptQS Application Pool crashes on startup
The conceptQS Application Pool may crash on startup due to a conflict with the Microsoft Monitoring Agent. Uninstalling the Microsoft Monitoring Agent and restarting the server typically resolves the issue.
📄️ The 'Domain Param' parameter is missing a value
Explains how to resolve the warning that the Domain Param parameter is missing a value during Active Directory snapshot report generation by enabling snapshot reporting or importing snapshots into Netwrix Auditor.
📄️ The name of the process that caused an account loc
Explains why the name of the process that caused an account lockout may not appear in examination results and how to verify it by checking the Windows Security log.
📄️ The order in which domains appear in the managed d
Explains that the managed domains list on the Self-Service Portal is sorted alphabetically and is case-sensitive, and how to place a domain at the top of the list.
📄️ UAVR Core Service not Responding
Describes troubleshooting steps when the User Activity Video Recording (UAVR) Core Service shows "Not Responding" after installation, including firewall, ports, required services, remote connection tests, and agent reinstallation.
📄️ Unable to audit target server by IP address
You are unable to audit a target server by IP address or by using `localhost`, and the Activity Records report shows an incorrect server name. This article explains causes and provides steps to fix DNS cache and hosts-file issues so you can audit by FQDN.
📄️ Unable to Connect to Remote Server
When you run reports in a web browser, you may see the "Unable to connect to the remote server." error. This article lists possible causes and resolutions, including SSRS service issues, failed SQL Server upgrades, and expired SSRS evaluation licenses.
📄️ Unable to Update the Compression Service
A monitoring plan shows the Take Action status and Netwrix Auditor logs EventID 2009 indicating the Compression Service could not be updated on the target server. This article explains causes and step-by-step resolutions, including manually installing the Compression Service MSI.
📄️ Unable to Upload Session to Long-Term Archive − Ac
Explains how to resolve the "Access to the path ... is denied" error when Netwrix Auditor cannot upload state-in-time sessions to the Long-Term Archive by correcting service account permissions.
📄️ User and Workstation Do Not Match
Explains why the Who (User) and Workstation fields may not match in file server reports and how Logon ID mapping with event ID 4624 and subsequent events cause this behavior.
📄️ User Behavior Analytics Configuration
User Behavior Analytics (UBA) is a closed-enrollment feature for Netwrix Auditor that uses the cloud-based Netwrix Behavior Anomaly Insight module to detect behavior anomalies and help investigate suspicious activity.
📄️ Warning: "(53) The network path was not found"
Shows how to resolve the "(53) The network path was not found" warning from Netwrix Auditor by granting the local System account proper permissions or ensuring the scheduled task account has required rights.
📄️ What cmdlets are used for AAL changes collection?
Lists the Exchange cmdlets Netwrix Auditor uses to collect Administrator Audit Logging (AAL) events and explains the required "Audit Logs" role assignment and PowerShell commands to check, assign, and remove the role.
📄️ What does automatic audit configuration do on the
Explains what the automatic audit configuration feature does on monitored servers and points you to the installation guide for a list of audit configuration changes that are performed manually or automatically through the Audit Configuration wizard.
📄️ What is "tombstoneLifetime" attribute and what is
Explains the Active Directory tombstoneLifetime attribute, how it affects object restore, and how to change it using ADSI Edit. Also explains how to align Netwrix Auditor Long-Term Archive retention with the tombstone lifetime.
📄️ Where does Netwrix Auditor collect security logs?
Explains where Netwrix Auditor collects security logs and what the Lightweight Agents do, including how to enable them and how to configure the agent.ini file with an example.
📄️ Which Applications Should be Whitelisted for the Auditor to Function Properly?
If you use third-party application whitelisting on the Netwrix Auditor server or the SQL Server host, some Auditor components can be blocked and cause errors such as SSRS temp files being locked. This article explains what to check and how to allow Netwrix Auditor components to run.
📄️ Why A Registry Key is Missing in Both: GPMC and Lo
Registry audit settings are required for some data sources such as Logon Activity Auditing. This article explains how to manually create missing registry audit keys using the Group Policy Management Console so the settings apply to affected computers.
📄️ Why Deployment Service Not Start or Terminated
Explains why the Netwrix Auditor Application Deployment Service may not appear in services.msc, may stop, or be terminated, and why this behavior is expected.
📄️ Why Netwrix Auditor Reads AD FS DKM Key and Is It Normal?
Explains why Windows Defender flags the "Suspected AD FS DKM key read" alert caused by Netwrix Auditor activity and shows how to exclude the AD FS DKM key from auditing scope.
📄️ Workstation Name Is not Shown
Explains why the Workstation field is empty in Account Lockout Examiner reports and how this relates to the Caller Machine Name field in Windows security event logs.