Big savings, Better ROI! Exclusive discounts on ManageEngine Products!* Boost your business *T&C apply
    Click here to shrink
    Click here to expand Click here to expand

    Configure audit polices - Manual Process

    Configure list of Windows workstations to be audited

    1. Open Active Directory Users and Computers.
    2. Right-click on the domain and select New > Group.
    3. In the New object - Group window that opens, type in “ADAuditPlusWS” as the Group name, check Group scope: Domain Local and Group type: Security. Click OK.
    4. Right-click the newly created group, then select Properties > Members > Add. Add all the Windows workstations that you want to audit as a member of this group. Click OK.
    5. Using domain admin credentials, log in to any computer that has the Group Policy Management Console (GPMC) on it.

      6. Note: The GPMC will not be installed on workstations and/or enabled on member servers by default, so we recommend configuring audit policies on Windows domain controllers. Otherwise follow the steps in this page to install GPMC on your desired member server or workstation.

    6. Go to Start > Windows Administrative Tools > Group Policy Management.
    7. In the GPMC, right-click the domain in which you want to configure the Group Policy. Select Create a GPO and Link it here. In the New GPO window that opens, type in “ADAuditPlusWSPolicy” and click OK.
    8. Select the <domain name>_ADAuditPlusWSPolicy GPO. Under Security Filtering, select Authenticated Users. Click Remove. In the Group Policy Management window that opens, select OK.
    9. Select the <domain name>_ADAuditPlusWSPolicy GPO. Under Security Filtering, click Add and choose the security group ADAuditPlusWS created previously. Click OK.

      10. Configure audit polices - Manual Process

    Configure advanced audit policies

    Configure the audit policies manually using the steps below:

    1. Using domain admin credentials, log in to any computer that has the GPMC on it.
    2. Go to Start > Windows Administrative Tools > Group Policy Management.
    3. Right-click the GPO <domain name>_ADAuditPlusWSPolicy and select Edit.
    4. In the Group Policy Management Editor, follow the steps below:

      5. Note: Advanced audit policy configuration is only available in Windows Server 2008 or later. If you have an older version of Windows, configure legacy audit policies. It is recommended that you configure advanced audit policies instead of legacy audit policies to prevent storing needless event data logs, as the legacy policies contain more unwanted events.

    5. Choose Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies.
    6. Click, enable, and save the audit policies as shown below:
      7. Advanced audit policy Audit events
      Category Subcategory  
      Account Management Audit Computer Account Management Success
      Audit Distribution Group Management Success
      Audit Security Group Management Success
      Audit User Account Management Success and failure
      Detailed Tracking Audit PNP Activity Success and failure
      Logon/Logoff Audit Logoff Success
      Audit Logon Success and failure
      Audit Network Policy Server Success and failure
      Audit Other Logon/Logoff Events Success and failure
      Object Access Audit File Share Success and failure
      Audit File System Success and failure
      Audit Handle Manipulation Success
      Audit Other Object Access Events Success
      Audit Removable Storage Success and failure
      Policy Change Audit Authentication Policy Change Success
      Audit Authorization Policy Change Success
      System Audit Security State Change Success

      Configure audit polices - Manual Process

    Force advanced audit policies

    Force the advanced audit policies manually using the steps below:

    1. Right-click the <domain name>_ADAuditPlusWSPolicy from GPMC.
    2. In the Group Policy Management Editor, follow the steps below:
    3. Choose Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options > Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings.
    4. Enable the policy and click OK.

      5. Configure audit polices - Manual Process

    Configure legacy audit policies

    Configure the legacy audit policies manually using the steps below:

    1. Go to Start > Windows Administrative Tools > Group Policy Management.
    2. Right-click the GPO <domain name>_ADAuditPlusWSPolicy and select Edit.
    3. In the Group Policy Management Editor, follow the steps below:

      4. Note:Advanced audit policy configuration is only available in Windows Server 2008 or later. If you have an older version of Windows, configure legacy audit policies. It is recommended that you configure advanced audit policies instead of legacy audit policies to prevent storing needless event data logs, as the legacy policies contain more unwanted events.

    4. Choose Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Audit Policies.
    5. Click, enable, and save the audit policies as shown below:
      6. Local audit policy Audit Events
      Category  
      Audit account management Success and failure
      Audit logon events Success
      Audit object access Success and failure
      Audit policy change Success
      Audit system events Success

      Configure audit polices - Manual Process

      Don't see what you're looking for?

      •  

        Visit our community

        Post your questions in the forum.

         
      •  

        Request additional resources

        Send us your requirements.

         
      •  

        Need implementation assistance?

        Try onboarding

         

    On this page

    Get download link