SACL's to enable Group Policy Objects Auditing

 

Policy that determines the security events to be reported to the network administrator.

 

To allow ADAudit Plus to report on Security events - the Audit Policy must be defined accordingly in your Auditing Policy settings of the ADUC (“Active Directory Users and Computers” console) on your Domain Controller machine.

 

To perform this procedure, you must be a member of the Domain Admins group or the Enterprise Admins group in Active Directory, or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure.   

  1. Open "Active Directory Users and Computers".  

    1. (Click ”Start” --> Click “Control Panel” --> double-click ”Administrative Tools and then -->> double-click “Active Directory Users and Computers “)

  2. In the console tree, right-click the "domain"

  3. Click “Properties”, and then click the “Security” tab.

  4. Click “Advanced” to open the Window to enter “Advanced Security Settings for the Domain”

  5. Click on the "Auditing Tab" and Click "Add" to add new security principal you want to apply the security policy (In our case it is "Everyone")  and click on OK

  6. This opens the window to select “Permission Entries for the Domain”

To get the audit trail from Active Directory on the creation (or) deletion of Group Policy objects, you must enable the "Permission entries for the Domain"

  1. Select Apply onto : This object and all child objects

  2. Select the Success check box for the below Audit Entries

    1. Create groupPolicyContainer Objects

    2. Delete groupPolicyContainer Objects

To get the audit trail from Active Directory on Write All Properties, Delete, and Modify Permissions for  groupPolicyContainer objects, enable the below "Permission entries for the Domain"

  1. Select Apply onto : "groupPolicyContainer objects"

  2. Select the Success check box for the below Audit Entries

    1. Write All Properties

    2. Delete

    3. Modify Permissions

 

Table provides details on SACLs for GPO Auditing:

 

 

Object to set SACL on

Principal

Type

Accesses

Scope

SACLs to Create, Delete Group Policy Objects

Domain

Everyone

Success

  1. Create groupPolicyContainer Objects

  2. Delete groupPolicyContainer Objects

 

This object and all child objects

SACLs to Write All Properties, Delete, and Modify Permissions for  groupPolicyContainer objects

Domain

Everyone

Success

  1. Write All Properties

  2. Delete

  3. Modify Permissions

 

groupPolicyContainer objects

 

 

 

 

 

 

Copyright © 2020, ZOHO Corp. All Rights Reserved.
ManageEngine
Get download link