Why is the "Performed By" column in ADMonitor reports empty?

While ADMonitor itself does not rely on Windows auditing to detect actual changes made in Active Directory, it does require access to the event log of a domain controller (either remotely or locally) in order to determine who made the change. ADMonitor utilizes both the Security and the Directory Services event log.

Perform the following steps to ensure the Performed By contains information:

1. Open the ADMonitor Adminstrator (e.g. from the EventSentry Management Console's Home ribbon), click "Set WHO Search Mode" and then check the "Analyze Directory Services" event log option. This will enable additional auditing in the "Directory Services" event log and generate additional events from the NTDS Diagnostics event source.
2. In Group Policy, ensure that account management activity is audited, see system32.eventsentry.com for more information.