Required audit group is missing see usrsrcupdating
Default User Rights: The person who created the file or the directory is a member of this special identity group.Windows Server operating systems use this identity to automatically grant access permissions to the creator of a file or directory.Members of the Account Operators group cannot manage the Administrator user account, the user accounts of administrators, or the Administrators, Server Operators, Account Operators, Backup Operators, or Print Operators groups. Default User Rights: Allow log on locally: A user account for the system administrator.This account is the first account created during operating system installation. It is a member of the Administrators group and cannot be removed from that group. Grants complete and unrestricted access to the computer, or if the computer is promoted to a domain controller, members have unrestricted access to the domain. This built-in group controls access to all the domain controllers in its domain, and it can change the membership of all administrative groups.1) Log in to the Server as Domain Admin 2) Load Group policy management editor using Server Manager This security policy setting can be used to generate security audit events with detailed tracking information about the data that is replicated between domain controllers.This audit subcategory can be useful to diagnose replication issues.
Backup Operators also can log on to the computer and shut it down.
This give you 53 options to tune up the auditing requirement and you can collect more in granular level information about your infrastructure events.
It is have 10 categories and in this demo I am going to talk about the “DS Access” category which is focused on Active Directory Access and Object Modifications.
Membership can be modified by members of the following groups: the default service Administrators, Domain Admins in the domain, or Enterprise Admins.
The group is the default owner of any object that is created by a member of the group.
The primary group is used only by the Portable Operating System Interface for UNIX (POSIX) subsystem.