Policy that determines the security events to be reported to the network administrator.
To allow ADAudit Plus to report on Security events - the Audit Policy must be defined accordingly in your Auditing Policy settings of the ADUC (“Active Directory Users and Computers” console) on your Domain Controller machine.
To perform this procedure, you must be a member of the Domain Admins group or the Enterprise Admins group in Active Directory, or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure.
Open "Active Directory Users and Computers".
(Click ”Start” --> Click “Control Panel” --> double-click ”Administrative Tools” and then -->> double-click “Active Directory Users and Computers “)
In the console tree, right-click the "domain"
Click “Properties”, and then click the “Security” tab.
Click “Advanced” to open the Window to enter “Advanced Security Settings for the Domain”
Click on the "Auditing Tab" and Click "Add" to add new security principal you want to apply the security policy (In our case it is "Everyone") and click on OK
This opens the window to select “Permission Entries for the Domain”
To get the audit trail from Active Directory on the creation (or) deletion of Group Policy objects, you must enable the "Permission entries for the Domain"
Select Apply onto : This object and all child objects
Select the Success check box for the below Audit Entries
Create groupPolicyContainer Objects
Delete groupPolicyContainer Objects
To get the audit trail from Active Directory on Write All Properties, Delete, and Modify Permissions for groupPolicyContainer objects, enable the below "Permission entries for the Domain"
Select Apply onto : "groupPolicyContainer objects"
Select the Success check box for the below Audit Entries
Write All Properties
Delete
Modify Permissions
Table provides details on SACLs for GPO Auditing:
|
Object to set SACL on |
Principal |
Type |
Accesses |
Scope |
SACLs to Create, Delete Group Policy Objects |
Domain |
Everyone |
Success |
|
This object and all child objects |
SACLs to Write All Properties, Delete, and Modify Permissions for groupPolicyContainer objects |
Domain |
Everyone |
Success |
|
groupPolicyContainer objects |