Configure Active Directory auditing


This section provides step-by-step procedures for enabling auditing of changes to objects in AD DS. This process consists of two primary steps:

  • Step 1: Enable audit policy.
  • Step 2: Set up auditing in object SACLs by using Active Directory Users and Computers console.

Step 1: Enable audit policy.

 

1.     Click Start, point to Administrative Tools, and then Group Policy Management.

2.     In the console tree, double-click the name of the forest, double-click Domains, double-click the name of your domain, double-click Domain Controllers, right-click Default Domain Controllers Policy, and then click Edit.

3.     Under Computer Configuration, double-click Policies, double-click Windows Settings, double-click Security Settings, double-click Local Policies, and then click Audit Policy.

4.     In the details pane, right-click Audit directory service access, and then click Properties.

5.     Select the Define these policy settings check box.

6.     Under Audit these attempts, select the Success, check box, and then click OK.

Step 2: Set up auditing in object SACLs.

The following procedure presents an example of just one of many different types of SACLs that you can set in AD. You can configure additional SACLs based on the operations that you want to audit.

To set up auditing in object SACLs

1.     Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.

2.     Right-click the organizational unit (OU) (or any object) for which you want to enable auditing, and then click Properties.

3.     Click the Security tab, click Advanced, and then click the Auditing tab.

4.     Click Add, and under Enter the object name to select, type Authenticated Users (or any other security principal), and then click OK.

5.     In Apply onto, click This object and all descendant objects.

6.     Under Access, select the Successful check box for Write all properties.  If you want to audit creation and deletion of objects, select the Successful check box for DeleteDelete subtree and Create all child objects too.

7.     Click OK until you exit the property sheet for the OU or other object.