How to Enable Active Directory Auditing

Edit the Group Policy that is applying to your domain controllers

Server 2003

Computer Configuration->Policies->Windows Settings->Security Settings->Local Policies->Audit Policy 

-> Enable Audit Directory Access Service

Server 2008 or Above

Computer Configuration->Policies->Windows Settings->Security Settings->Local Policies->Security Options->Audit: Force audit policy subcategory settings

Computer Configuration->Policies->Windows Settings->Security Settings->Advanced Audit Policy Configuration->Audit Policies->DS Access

14

 

 

Target OU or Whole Domain

Right-click on where you want to enable Auditing and bring up the properties.  Under Extensions you will see the Security tab.  From there select Advanced and then choose the Auditing tab.  If you want to be comprehensive, I would select the Everyone security principal, set Type to Success and Applies to: This object and all descendant objects.  For the permissions, again if you want to be comprehensive, set the following:

  • Write all properties
  • Delete
  • Delete subtree
  • Modify permissions
  • Modify owner
  • All validated writes
  • All extended writes
  • Create all child objects
  • Delete all child objects

Open Event viewer and filter Security log to find event id’s (Windows Server 2003/2008-2012):
– 631, 635, 648, 653, 658, 663/4727, 4731, 4754 , 4759, 4744, 4749 – Group created
– 632, 636, 650, 655, 660, 665/4728, 4732, 4756 , 4761, 4746, 4751 – Member added to a group
– 633, 637, 651, 656, 661, 666/4729, 4733, 4757, 4762, 4747, 4752 – Member removed from a group
– 634, 638, 652, 662, 667, 657/4730, 4734, 4758, 4748, 4753, 4763 – Group deleted
– 639, 641, 649, 654, 659, 664/4735, 4737, 4745, 4750, 4755, 4760 – Group changed
– 566/4662 – An operation was performed on an object(OU Changes) (Type: Directory Service Access).

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...