Configure Events Reports


This section provides step-by-step procedure for configuring Events Reports. This process consists of three primary steps:

Enable audit policy.
Configure event ID(s) in application for security event log data collection.
Set up auditing in object's SACL. This step is applicable for Object Change Reports and Permissions Change Reports only.

Enable audit policy.
  1. Click Start, point to Administrative Tools, and then Group Policy Management.

  2. In the console tree, double-click the name of the forest, double-click Domains, double-click the name of your domain, double-click Domain Controllers, right-click Default Domain Controllers Policy, and then click Edit.

  3. Under Computer Configuration, double-click Policies, double-click Windows Settings, double-click Security Settings, double-click Local Policies, and then click Audit Policy.

  4. In the details pane, right-click the Policy pertaining to the report as shown in the following table and then click Properties.

      Report Name   Policy
      User Logon/Logoff Reports   Audit logon events
      Password Change Reports   Audit account management
      Terminal Services Activity Reports   Audit logon events
      Object Change Reports   Audit directory service access
      Permissions Change Reports   Audit directory service access

  5. Select the Define these policy settings check box.

  6. Under Audit these attempts, select the Success check box, and then click OK.

Configure event ID(s) in application for security event log data collection.

For security event log data collection, configure event ID(s) corresponding to each report in Real Time Events -> Alerts as stated in the following table:

     Report Name  Event ID(s)
     User Logon/Logoff Reports  4624, 4634
     Password Change Reports  4724
     Terminal Services Activity Reports  4778, 4779
     Object Change Reports  5136, 5137, 5139, 5141
     Permissions Change Reports  5136
For more information, click How to add an event ID for configuring an E-mail alert?

Set up auditing in object's SACL:

To set up SACL auditing for directory objects, perform the following steps.

  1. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.

  2. Right-click the organizational unit or any object for which you want to enable auditing, and then click Properties.

  3. Click the Security tab, click Advanced, and then click the Auditing tab.

  4. Click Add, and under Enter the object name to select, type Authenticated Users (or any other security principal), and then click OK.

  5. In Apply onto, click This object and all descendant objects.

  6. For Object Change Reports: Under Access, select the Successful check box for Write all properties. If you want to report events data for creation and deletion of objects, select the Successful check box for Delete, Delete subtree and Create all child objects too.

  7. For Permission Change Reports: Under Access, select the Successful check box for Modify Permissions.

  8. Click OK until you exit the property sheet of the organizational unit or other object.