This is due to the actual shell binary used by the Active Directory accounts not being listed in the /etc/shells file. If it is not listed there it is not tracked by the seos kernel module resulting in events not being posted in the audit log.
In fact, not only Active Directory users, but ANY users configured to use the shell binary not listed in /etc/shells would not get cmdlog started for them. For instance, assuming the users are using /bin/ksh, if instead of it /etc/shells contains a symbolic link to the actual file (e.g.
/bin/ksh -> /bin/alternative/ksh), the users logging in and having ksh as shell will experience this issue.