Active Directory Audit Policies

Active Directory audit policies must be configured to ensure events are logged when activity occurs. The steps below walk through the audit policy settings that need to be enabled.

Active Directory Audit Policy Configuration

Step 1: Open the Group Policy Management Console (GPMC)

Step 2: Right click “Default Domain Controllers Policy” and select edit.

Note

If you don’t want to edit the Default Domain Controllers Policy, you can instead crete a new GPO with the same audit settings. Link the new GPO to the Domain Controllers OU.

Step 3: Under Computer Configuration, click Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policy

Step 4: Configure the audit policies based on the table below

Advanced Audit Policy Settings for AD Audit Pro

Note

These are the policies that need enabled for the AD Audit Pro application. You can enable additional policies per your companies requirements.

Policy Path	Policy Settings Name	Audit Event Settings
Account Management	Audit Computer Account Management	Success
Account Management	Audit Security Group Management	Success
Account Management	Audit User Account Management	Success and Failure
DS Access	Audit Directory Service Changes	Success
Logon/Logoff	Audit Account Lockout	Failure
Logon/Logoff	Audit Logon	Success and Failure
Policy Change	Audit Audit Policy Change	Success

Configure Active Directory Object Level Auditing

There are specific events that do not generate an audit log entry until object level auditing is enabled.

AD Audit Pro require object level auditing

• Moved users
• Moved groups
• Moved computers
• Deleted GPOs
• GPO Link Changes
• Created OUs
• Deleted OUs

AD Audit Pro Object Level Audit Settings

Advanced Features must be enabled in ADUC to complete the steps. Click on “View” and then “Advanced Features”.

Step 1. Open ADUC, right click on your domain and select properties.

Step 2. Click on “Security”

Step 3. Click on “Advanced”

Step 4. Click on “Auditing”

Step 5. Click on “Add”

Step 6. Click on “Select a Principal”

Step 7. Type Everyone, click “Check Names” and click “OK”.

Note

This does not effect the Security of Active Directory and does not grant Everyone access. What this does is ensures an audit log event is created when a user that has permissions modifies specific objects in Active Directory.

Step 8. Ensure Type = Success and Appplies to = This object and all descent objects

Step 9. Set the following Permissions:

1. Write All Properties
2. Delete
3. Modify Permissions
4. All Extended Rights
5. Create user objects
6. Delete user objects
7. Create Group objects
8. Delete Group objects
9. Create computer objects
10. Delete computer objects
11. Create Organizational Unit objects
12. Delete Organizational Unit objects
13. Create groupPolicyContainer Objects
14. Delete groupPolicyContainer Objects

Example screenshot