PAM: Failed with Operation requires that destination domain auditing to be enabled

  • Article

 

Issue: When trying to create NEW-PAMGROUP : Failed with Operation requires that destination domain auditing to be enabled

“System.Exception: Failed PAM group 'TFCAdmins' SID migration; Exception: System.ComponentModel.Win32Exception(0x80004005): The operation requires that destination domain auditing be enabled at Microsoft.IdentityManagement.WinTools.SidCloner.CloneSid(String sourceIdentity, String sourceDomain, StringsourceDC, String sourceUserName, SecureString sourcePassword, String targetIdentity, String targetDomain)”

clip_image001

---------------------------------------------

When looking at the Domain in question : the GPO look fine :

PRIV DC:

clip_image002

So then I dug in a bit further knowing this was set I went under the hoot to see what is actually set by running this command :

auditpol /get /category:*

And low and behold well not set right :

clip_image004

Ok now it time to uncover the why when the GPO setting is set and no errors in the gpresult to applying the default domain controller policy

clip_image006

So I went down through removing and re-adding with restart:

Item Performed : Remove the policy from the GPO / Reboot : Same Issue

Item Performed : Added directly to localpolicy / Reboot : Same Issue

Item Performed : Run “auditpol /set /category:"Account Management" /success:enable /failure:enable” / Reboot : Same Issue

Every time it showed up under local policy on the DC as not auditing : <screaming inside>

clip_image007

Research looking at this article clearly we did not have this set : https://support.microsoft.com/en-us/kb/921468 - can cause this behavior

Ok so now it’s even getting weird and scratching head even more so I asked myself what else and bingo!! “old policy lingering that in syvol that is re-applying”  - Kudos David Fisher for brain storm on this

So I dashed over to the C:\Windows\SYSVOL\domain\Policies

Searched for *.csv

clip_image009

Then opened it in notepad and wow look the same as the setting I am getting on reboot

clip_image011

Steps Taken :

  • Moved CSV to desktop (I.e. Delete from the syvol) – Before removing this please consult with your Active directory expert to make sure your not going to see any adverse affect
  • SET Domain Controller policy back to required settings
  • gpupdate /force
  • Reboot

Check setting after reboot : As they should be

clip_image013

Test New-PAM Group:

clip_image015