Support
 
Phone Get Quote
 
Support
 
US: +1 888 720 9500
US: +1 888 791 1189
Intl: +1 925 924 9500
Aus: +1 800 631 268
UK: 0800 028 6590
CN: +86 400 660 8680

Direct Inward Dialing: +1 408 916 9892

 

Configuring audit policies - Manual configuration

Audit policies must be configured to ensure that events are logged whenever any activity occurs.

1. Configuring advanced audit policies

Advanced audit policies help administrators exercise granular control over which activities get recorded in the logs, helping cut down on event noise. It is recommended that advanced audit policies are configured on domain controllers running on Windows Server 2008 and above.

  • Log in to any computer that has the Group Policy Management Console (GPMC), with Domain Admin credentials → Open GPMC → Right click on Default Domain Controllers Policy → Edit.
  • In the Group Policy Management Editor → Computer Configuration → Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Audit Policy, Double-click on the relevant policy setting.
  • Navigate to the right pane → Right-click on the relevant Subcategory, and then click Properties → Select Success, Failure, or both; as directed in the table below.

Cateogory Sub Category Audit Events
Account Logon
  • Audit Kerberos
  • Authentication Service
Success and Failure
Account Management
  • Audit Computer Account Management
  • Audit Distribution Group Management
  • Audit Security Group Management
Success
  • Audit User Account Management
Success and Failure
Detailed Tracking
  • Audit Process Creation
  • Audit Process Termination
Success
DS Access
  • Audit Directory Services Changes
  • Audit Directory Service Access
Success
Logon /Logoff
  • Audit Logon
  • Audit Network Policy Server
Success and Failure
  • Audit Other Logon/Logoff Events
  • Audit Logoff
Success
Object Access
  • Audit Other Object Access Events
Success
Policy Change
  • Audit Authentication Policy Change
  • Audit Authorization Policy Change
Success
System
  • Audit Security State Change
Success
active-directory-audit-configuring-advanced-audit-policies Image showing: Account Logon category → Audit Kerberos Authentication Service subcategory → Both Success and Failure configured.
2. Enforcing advanced audit policies

When using advanced audit policies, ensure that they are forced over legacy audit policies.

  • Log in to any computer that has the Group Policy Management Console (GPMC), with Domain Admin credentials → Open GPMC → Right click on Default Domain Controllers Policy → Edit.
  • In the Group Policy Management Editor → Computer Configuration → Policies → Windows Settings → Security Settings → Local Policies → Security Options.
  • Navigate to the right pane → Right-click on Audit: Force audit policy subcategory settings → Properties → Enable.
  • active-directory-audit-enforcing-advanced-audit-policies
3. Configuring legacy audit policies

The option to configure advanced audit policies is not available in Windows Server 2003 and below. Therefore for these systems, you need to configure the legacy audit policies.

  • Log in to any computer that has the Group Policy Management Console (GPMC), with Domain Admin credentials → Open GPMC → Right click on Default Domain Controllers Policy → Edit.
  • In the Group Policy Management Editor → Computer Configuration → Policies → Windows Settings → Security Settings → Local Policies → Double click on Audit Policy.
  • Navigate to the right pane → Right-click on the relevant policy, and then click Properties → Select Success, Failure, or both; as directed in the table below-

Category Audit Events
Account Logon Success and Failure
Audit Logon / Logoff Success and Failure
Account Management Success
Directory Service Access Success
Process Tracking Success
Object Access Success
System Events Success
active-directory-audit-configuring-legacy-audit-policies Image showing: Audit account logon events category → Both Success and Failure configured.

ADAudit Plus Trusted By

A single pane of glass for complete Active Directory Auditing and Reporting