ARS Initiator Username missing (4224935)

The ChangeAuditor Dynamic Data Control ARS integration scripts have some limitations when processing the SetPassword/ChangePassword operations which causes the initiator data to not be captured. The ChangeAuditor ARS integration scripts rely on the information captured in the DDC LDAP request to populate the initiator data. This works without issue for most Active Directory change however Reset Password operations for Active Directory User objects support DDC LDAP only if LDAP-over-SSL is selected by Microsoft LDAP ADSI provider as a password reset protocol.

If LDAP-over-SSL is not available on the target domain controller, or if the SSL certificate is not trusted by ActiveRoles Server computer, LDAP ADSI falls back to other password reset protocols, such as Kerberos password change protocol (RFC 3244) and RPC protocol over named pipes (lsasrv). These protocols do not support ChangeAuditor Dynamic Data Control; therefore, the password reset event in Change Auditor may not record the ARS initiator for the event.

Ensure LDAP-over-SSL is enabled in your environment. Please check to ensure that the Active Directory SSL certificate is installed on all of the ActiveRoles Servers and that port 636 is not blocked by a firewall between the ARS servers and the Domain Controllers.

For users whose Initiator name is not captured, compare the DC that logged the event for the change that user made to the DC that logged an event for a user where the Initiator name was captured.