PAM: Failed with Operation requires that destination domain auditing to be enabled


Issue:  When trying to create NEW-PAMGROUP : Failed with Operation requires that destination domain auditing to be enabled

“System.Exception: Failed PAM group 'TFCAdmins' SID migration; Exception: System.ComponentModel.Win32Exception(0x80004005): The operation requires that destination domain auditing be enabled at Microsoft.IdentityManagement.WinTools.SidCloner.CloneSid(String sourceIdentity, String sourceDomain, StringsourceDC, String sourceUserName, SecureString sourcePassword, String targetIdentity, String targetDomain)”



When looking at the Domain in question : the GPO look fine :



So then I dug in a bit further knowing this was set I went under the hoot to see what is actually set by running this command :

auditpol /get /category:*

And low and behold well not set right :


Ok now it time to uncover the why when the GPO setting is set and no errors in the gpresult to applying the default domain controller policy


So I went down through removing and re-adding with restart:

Item Performed : Remove the policy from the GPO / Reboot : Same Issue

Item Performed : Added directly to localpolicy / Reboot : Same Issue

Item Performed : Run “auditpol /set /category:"Account Management" /success:enable /failure:enable” / Reboot : Same Issue

Every time it showed up under local policy on the DC as not auditing : <screaming inside>


Research looking at this article clearly we did not have this set : – can cause this behavior

Ok so now it’s even getting weird and scratching head even more so I asked myself what else and bingo!! “old policy lingering that in syvol that is re-applying”  – Kudos David Fisher for brain storm on this

So I dashed over to the C:\Windows\SYSVOL\domain\Policies

Searched for *.csv


Then opened it in notepad and wow look the same as the setting I am getting on reboot


Steps Taken :

  • Moved CSV to desktop (I.e. Delete from the syvol) – Before removing this please consult with your Active directory expert to make sure your not going to see any adverse affect
  • SET Domain Controller policy back to required settings
  • gpupdate /force
  • Reboot

Check setting after reboot : As they should be


Test New-PAM Group:


David Steadman has written 40 articles

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>