Configuring Advanced Audit Policy Manually for Domain Controllers

 

ADAudit Plus collects data logged in the security logs of Domain Controllers, Member Servers and File Servers and provides reports. Data logged in security logs of the above objects depends upon the Audit Policy / Advanced Audit Policy (Available in 2008 R2 & above) configured for those respective objects.

Configuring the Advanced Audit Policy ensures only the required security logs for auditing are collected, ensuring the disk space does not fill fast with unwanted logs.

Configuring Advanced Audit Policy for Domain Controllers that run in Windows Server (2008 R2 & above) Environment:

Advanced audit policy in the 'Default Domain Controllers Policy' is to be configured for ADAudit Plus to collect only the required security logs for auditing.

Know what Advanced Audit Policies are to be established in the Default Domain Controllers Policy?

To audit Logon Events: Select Account Logon → Configure 'Kerberos Authentication Service (Success & Failure). To audit User, Group, Computer: Select Account Management → Configure 'Computer Account Management' (Success), 'Distribution Group Management' (Success), 'Security Group Management' (Success), 'User Account Management' (Success & Failure). To audit Tracking Processes: Select Detailed Tracking → Process Creation (Success), Process Termination (Success). To audit GPO, OU, Configuration, Schema, Contacts, Containers, Site: Select DS Access → Configure Directory Services Changes (Success), Directory Service Access (Success). To audit Logon / Logoff: Select Logon / Logoff → Configure Logon (Success & Failure), Audit Logoff (Success), Network Policy Server (Success & Failure), Other Logon / Logoff Events (Success). To audit Scheduled Tasks: Select Object Access → Other Object Access Events (Success). To audit Local Policy Changes: Select Policy Change → Authentication Policy Change (Success), Authorization Policy Change (Success). To audit System Events: Select System → Security State Change (Success).

Step by Step Procedure to edit Default Domain Controllers Policy:

1. Log on to Windows with an account that has Administrator rights.

2. Ensure that the Group Policy snap-in is installed.

3. Open the GPMC (Group Policy Management Console) in Windows 2003 / 2008 Servers.

4. Navigate to 'Default Domain Controller's Policy'.

Group Policy Management Console -> Domain Controllers -> Default Domain Controllers Policy

5. Right click the Default Domain Controllers Policy and Click on 'Edit'.

6. From the Group Policy Management Editor Navigate to 'Audit Policies' node,

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> Audit Policies.

7. From the right pane, double-click the policy that you want to configure (enable / disable).