Known Issues

This section provides a list of all currently known issues that customers may experience with Netwrix Auditor 9.96. For each issue, there is a brief description and a workaround or a comment if available.


ID Issue Description Comment
160222 After upgrading to Netwrix Auditor 9.95 you may need to wait for 24 hrs (until data collection daily cycle is completed) for the User Accounts - Attributes report to display all data as designed.

The report may be empty until parentCanonicalName property is collected and stored to the audit database.

The following information based on related properties may be not reported properly:

  • Account locked (accountLockedOut)
  • Password expired (pwdExpiringTime)
  • User cannot change password (cannotChangePassword)

The following information will not be reported:

  • Parent OU/container (parentCanonicalName)
  • Manager (managerDisplayName)
  • Manager email address (managerEmail)
  • Street address (streetPoBox)
  • Last modified (whenChanged)
158106 Netwrix Auditor Event Log Manager: the setup fails to copy remote distributed modules. Error details: The process cannot access the file because it is being used by another process.  
88793 If a Monitoring Plan includes multiple AD domains containing groups with the same name, then Search using Who—In Group filter without specified domain name will return the results for one domain only.

To search within certain domain using this filter, specify filter value in the domain\group format.

ID Issue Description Comment
132274 Nutanix does not send SMB notification in case the file was changed using some text editors, like Notepad, WordPad, etc. Some other editors work fine (e.g. MS Word). As a result, NDC does not detect file changes, and re-index for changed file does not start automatically. So, it will be re-indexed during the next scheduled re-index task (1 week by default).

Netwrix Auditor for Active Directory

ID Issue Description Comment

Since the AD Configuration partition is common for all domains in a forest, any change to this partition will be reported by the product for each of the audited domains.

The name of the user who made the change will only be displayed for the domain where the change was made. Product reports for other audited domains will show the "System" value in the "Who" column.

Ignore entries with the "System" value in the "Who" column for other domains.

11090 If changes to group membership are made through Exchange Control Panel, the product will report on addition and deletion of all group members in addition to these changes.  
13619 If a change is made to the audited domain through Microsoft Exchange installed in another domain, the originating workstation for such changes will be reported as "Unknown".  
14291 If changes to Active Directory objects are made through Exchange Management Console or Exchange Control Panel, the "Workstation" field in reports showing the computer from which a change was made may contain several workstations.  
31008 31046 Netwrix Auditor reports the scheduled task or service start as an interactive logon.  
63500 The Administrative Group Members report does not show administrative group members beyond the monitored domain (e.g., child domain users).  

Netwrix Auditor for Exchange

ID Issue Description Comment


When monitoring Exchange Online, Add/Remove mailbox actions will not be reported if mailboxes are created by the cloud services as a result of the user's license assignment. (The assignment of the license is reported by Netwrix Auditor for Azure AD.)

For Add/Remove mailbox actions to be reported, they must be created / removed via the PowerShell, using the New-mailbox or Remove-mailbox cmdlet.


If a user is added through Active Directory Users and Computers, and then a mailbox is created for this user through the Exchange Management Console within a short period of time (less than 10 minutes), the product will show duplicate entries for the mailbox creation event in the "Who" column. One change will show the Exchange name of the account under which a user was created, and the other—the name of the user who created a mailbox.

Ignore the duplicate entry with the Exchange account in the "Who" field.

11110 For Microsoft Exchange, changes to text strings that have line breaks will contain the before and after values only for the text fragment before the line break. The fact of the change itself will be reported for the whole text string. Check the resulting value through Active Directory Users and Computers or other tools.
10897 The product does not report on changes made on an Exchange with the Edge Transport role.  
10590 For Microsoft Exchange, changes to the inetOrgPerson object type will be reported in the Exchange audit reports with the "user" value in the "Object Type" column.  

If a previously disconnected mailbox is reconnected to a user, the Exchange reports will display the mailbox GUID instead of a canonical user name in the "What" column.

If, as a result of this operation, the email address of this user is modified, this change will be reported in the Active Directory reports with the Exchange name in the "Who" column.

To get a canonical user name in an Exchange report, look for the "User" attribute in the "Details" field of the reconnected mailbox change entry.

To get the "Who" value for the email address change entry, open Exchange report for the same time period and look for the entry reflecting the mailbox reconnection event. The user who reconnected the mailbox is the same user who initiated the email address change event. You can match the email notification entry with the mailbox reconnection entry by comparing the Object Path field in the Active Directory report with the User attribute in the "Details" field of the Exchange report.

Netwrix Auditor for File Servers (Windows File Server, EMC, NetApp, Nutanix Files)

ID Issue Description Comment


For Nutanix file server: effective permissions (as a combination of NTFS and Shared permissions) are not calculated properly for the local Administrators group members.



For Windows file server: if a mount point is a shared folder, then the objects in its root will be initially collected by Netwrix Auditor and appear as processed by System account.

During the next data collections, all actions for these objects will be monitored in a normal way.


Netwrix Auditor for Windows File Server does not audit the mount points targeted at the subfolder of a file share.

To process such mount points, in the monitored item settings provide network path to the target subfolder.




For NetApp 8.3.1 (or earlier) and EMC Isilon systems Netwrix Auditor may skip empty files creation and newly created folders in reports and activity summaries.




If you switch native log format (EVTX and XML) on a NetApp 8.3.1 (or earlier) file server, you will receive errors on data collections until the first change event is captured and log is created. These errors can be ignored.

If you performed a switch when the data collection was in progress you will receive an error stating that the log cannot be read. After a switch, Netwrix Auditor will not be able to get data from the previously used log.





When monitoring NetApp8.3.1 (or earlier), viewing an object's security properties may be reported as a change to these properties.  

When monitoring NetApp 8.3.1 (or earlier), if an audit configuration error occurred within previous 11 hours, further data collection statuses may be Working and Ready even if this error persists.

Netwrix Auditor automatically checks audit settings every 11 hours irrespective of scheduled or on-demand data collections, and writes a single notification into the Netwrix Auditor System Health log. Scroll down the log to see the error/warning.

To keep data collection status up-to-date, it is recommended to run data collections less frequently (e.g., twice a day—every 12 hours).

To resolve configuration error:

  • Enable automatic audit configuration.
  • Fix the error manually if this error is related to insufficient object permissions.
  • Add a problem object to omitcollect.txt to exclude it from monitoring.

Netwrix Auditor for Oracle Database

ID Issue Description Comment

When adding Oracle Database instance or Wallet item to monitoring plan, Netwrix Auditor shows the following error: "Failed to install one or more required components."

Restart the Netwrix Auditor for Oracle Database Audit Service.

Netwrix Auditor for SharePoint

ID Issue Description Comment
1549 SharePoint Central Administration URL specified on monitoring plan creation cannot exceed 80 characters. If your SharePoint Central Administration URL exceeds 80 characters, create a short name and specify it in the Alternate Access Mappings, and create a Site Binding in IIS for SharePoint Central Administration v4.
12683 When a lot of SharePoint changes are made within a short period of time (15-20 changes per second), some events may be lost and not reflected in audit reports and Activity Summaries because of the default IIS recycle settings (the IIS Worker Process that accumulates data on changes is restarted before all data is written to the Audit Database). Modify the default IIS recycle settings to keep data when the process is restarted. For details on how to configure recycling, refer to the following Microsoft article: Recycling Settings for an Application Pool.
12883 The timestamp for SharePoint farm configuration changes in audit reports and Activity Summary emails is the time when Netwrix Auditor generates the daily Activity Summary, not the actual event time.  

The following changes are reported by the product with the "Unknown" value in the "Who" column:

  • Automatic creation of SharePoint groups on site creation if it uses unique permissions instead of inheriting them
  • All changes made under the "Anonymous" user if the security policy permits such changes

The following changes are reported with the "SHAREPOINT\system" value in the "Who" column:

  • Changes made under an account that belongs to Farm Admins
  • Changes made under an account that is a Managed account for the Web Application Pool
  • Changes made under an account that is specified in the User Policy of the modified Web Application with the "Operates as a system" option enabled
  • Changes resulting from SharePoint Workflows

The "Workstation" field is not reported for content changes if they were made in one of the following ways:

  • Through powershell cmdlets
  • Through the Site settings Content and Structure menu
  • Through Microsoft servers and Office applications integrated with SharePoint
  • Through SharePoint workflows
  • Through the Upload Multiple Files menu option
  • Through the Open With Explorer menu option
  • Through a shared folder
  • Deletion of items through the context menu
33670 Netwrix Auditor does not report on changes to lists, list items, and web sites that had occurred before these objects were removed.  

Netwrix Auditor for SQL Server

ID Issue Description Comment


Removal of a SQL Job together with unused schedules is reported with the "System" value in the "Who" column.


With the Audit data changes option enabled, when you try to perform the UPDATE/INSERT/DELETE operations in an audited database, an error is returned stating that the statements cannot be executed because the database owner SID cannot be resolved or SIDs do not match.

NOTE: Database backup and restore may lead to unresolved or not matching SIDs.

For detailed information about the issue and for a solution, refer to the following Netwrix Knowledge base article:

An error is returned stating that you have problems accessing an audited database.


Netwrix Auditor shows the same workstation name in reports and search results for all changes made to an object within the data collection period (24 hours for default data collection schedule or between two manual launches) even if changes were made by different users and from different workstations.  
155774 The 'Object Permissions in SQL Server' and 'Account Permissions in SQL Server' reports will not show the ALTER (SERVER_ROLE) capability for the privileged users in SQL Server 2008 R2 due to that SQL Server version implementation.  
139588 The 'Object Permissions in SQL Server' and 'Account Permissions in SQL Server' reports will not show the RESTORE capability for the database owner.  
139554 Permissions for INFORMATION_SCHEMA granted via master db will not be reported in the 'Account Permissions in SQL Server' report.  
155179 State-in-time data for some system tables may not be collected properly.  
145577 Windows principals and windows_membership data will not be included in the state-in-time snapshot when collecting data on the group having members who belong to the outgoing trust domain.  

Netwrix Auditor for VMware

ID Issue Description Comment

Netwrix Auditor for VMware will not collect data on Failed Logon event in case of incorrect logon attempt through VMware vCenter Single Sign-On.

168911 When creating a state-in-time snapshot, Netwrix Auditor for VMware will not collect data on AD users if these users' permissions were granted via membership in their Primary Group.  

Netwrix Auditor for Windows Server

ID Issue Description Comment

When calculating "Servers with unauthorized antivirus software" risk metric value, Windows 2016/2019 machines where pre-installed Windows Defender is running are considered a risk factor.

They will be also considered a risk factor when the "Antivirus Baseline" filter in the "Windows Server Inventory" report is applied.

If you install a third-party antivirus product, you should uninstall Windows Defender as recommended by Microsoft.

Otherwise, there will be two antiviruses running: Windows Defender and third-party solution. In this case, Netwrix Auditor will treat Windows Defender as a main anitvirus, and related calculations will be performed accordingly.

102460 When calculating "Servers with unauthorized antivirus software" risk metric value, Windows 7 machines where pre-installed Windows Defender is running are considered a risk factor. Microsoft Action Center does not classify Windows Defender on Windows 7 machines as antivirus software (see this article for more information). Use fully-featured antivirus software, e.g. Kaspersky Internet Security, ESET File security, Microsoft Security Essentials, etc.


Some registry changes may be reported as who=system or who=computer account.

12745 Software upgrade is reported by the product as two consecutive changes: software removal and software installation. The entry for software removal will have the "System" value in the "Who" column. Look for the user name in the entry for software installation to determine who performed the upgrade.
User Activity
12763 Links to video recordings will not open from reports saved in the doc/xls format, or reports received by subscription and attached to emails in one of these formats. Save reports in the PDF format and select this format when configuring a subscription to a report.
12807 On Windows 8.1/Windows Server 2012, the information on the launch of Windows Store (Metro-style) applications is not written to the detailed activity log (reports metadata), as applications in a tile-based interface do not have application descriptions or window titles. Therefore, data search or positioning inside video files will be unavailable for such applications. A video recording session will not start before the user accesses their desktop for the first time.  
12451 Video capture of an RDP session will be terminated if this session is taken over by another user.