Configuring Audit Polices for Active Directory auditing:


  1. Open Group Policy Management Console(GPMC).
  2. Edit “Default Domain Controllers Policy”.
  3. Configure required,
    1. Advanced Audit Policies(2k8 and above) : Configuration|Windows Settings|Security Settings|Advanced Audit Policy Configuration|System Audit Policies.
    2. Audit Polices(2k3 and below) : Computer Configuration|Windows Settings|Security Settings|Local Polices|Audit Policy.
  4. Advanced Audit Polices required for Active Directory auditing (recommended for 2k8 and above Domain Controllers)
    1. Audit Logon Events: Select Account Logon -> Audit 'Kerberos Authentication Service' (Success & Failure).
    2. Audit User, Group, Computer: Select Account Management -> Audit 'Computer Account Management' (Success), Audit 'Distribution Group Management' (Success), Audit 'Security Group Management' (Success), Audit 'User Account Management' (Success & Failure).
    3. Audit Tracking Processes: Select Detailed Tracking -> Audit Process Creation (Success), Audit Process Termination (Success).
    4. Audit GPO, OU, Configuration, Schema, Contacts, Containers, Sites, DNS: Select DS Access -> Audit Directory Services Changes (Success), Audit Directory Service Access (Success).
    5. Audit Logon / Logoff: Select Logon / Logoff -> Audit Logon (Success & Failure), Audit Logoff (Success), Audit Network Policy Server (Success & Failure), Audit Other Logon / Logoff Events (Success).
    6. Audit Scheduled Tasks: Select Object Access -> Audit Other Object Access Events (Success).
    7. Audit Local Policy Changes: Select Policy Change -> Audit Authentication Policy Change (Success), Audit Authorization Policy Change (Success).
    8. Audit System Events: Select System -> Audit Security State Change (Success).
    Advanced Audit Policies
  5. Audit Polices required for Active Directory Auditing (Recommend for 2k3 and below Domain Controllers)-
    1. Audit Account Logon: Configure Account Logon Events (Success & Failure).
    2. Audit Logon / Logoff: Configure Logon Events (Success & Failure).
    3. Audit User, Group, Computer: Configure Account Management (Success & Failure).
    4. Audit GPO, OU, Configuration, Schema, Contacts, Containers, Site: Configure Directory Service Access (Success).
    5. Audit Tracking Processes: Configure Process Tracking (Success).
    6. Audit Scheduled Tasks: Configure Object Access (Success).
    7. Audit Local Policy Changes: Configure Policy Change (Success).
    8. Audit System Events: Configure System Events (Success).
    Legacy Audit Policy
  6. Force Advanced Audit Policy
    1. Enable Force audit policy subcategory settings. This settings can be found under  Computer Configuration|Windows Settings|Security Settings|Local Polices|Security Options|Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings.
    2. Force Advanced Audit Policy
 

    Copyright © 2018, ZOHO Corp. All Rights Reserved.
    ManageEngine