How to monitor activities of privileged users?

Keeping track of privilege users' activities may enable an organization to protect critical assets, meet compliance requirements and mitigate both external threats and insider threats.

Review privileged users activities Free, fully functional 30-day trial
  • With Native AD Auditing

  • With ADAudit Plus

ADAudit Plus is real-time, web-based Windows Active Directory change reporting software that audits, tracks and reports on Windows (Active Directory, workstations logon/logoff, file servers and servers), NetApp filers and EMC servers to help meet the most-needed security, audit and compliance demands. Track authorized/unauthorized AD management changes, access of users, GPO, groups, computer and OU. Also, track every file and folder modifications, access and permissions changes with 200+ detailed event-specific reports and instant emails alerts. These reports can be exported into XLS, HTML, PDF and CSV formats to assist in interpretation and computer forensics.

You can configure these reports to be automatically generated and emailed to you at specified intervals. You can also export these reports to a format of your choice. Here is how you can track activities of privileged users using ADAudit Plus:

Login to ADAudit Plus → Go to the Reports tab → Under Account Management → Navigate to Administrative User Actions.

  • file access report
    • The details you can get in this report are:
      1. User Name of the privileged account that made the changes
      2. The time when the changes were made
      3. The computer or server in which the changes were made from
      4. The description of the changes made.
  • file access report
  • With this report, you can track the activities of your privileged users. This in turn will let you monitor any significant changes happening in your domain.

With native auditing, here is how you can track activities of privileged users:

  • Step 1: Identify the privileged user accounts.
    • If a member satisfies any of the below mentioned criteria, they can be identified as privileged users.
      1. Users/Groups who are members of any administrative groups.
      2. Users/Groups who have received administrative privileges through their Organizational Unit.
      3. Local user accounts and service accounts that may have received administrative privileges locally on domain controllers.
      4. Users who have received privileges to reset passwords and unlock the accounts of other users.
      5. Users having administrative privileges by which they can access Service Accounts.
      6. Users who have write access to Group Policy Objects related to domain controllers.
      7. Users who have access to any application that manages Active Directory. Users who are administrator of the Virtual System Environment.
  • You can list all privileged users by using Active Directory Users and Computers and Group Policy Management Console.

    To discover other privileged user accounts you may also have to run customized scripts. For instance, every member of any administrative group is a privileged user.

  • Step 2: Enabling the required audit policies
  • Launch Server Manager in your Windows Server instance.

  • Under Manage, select Group Policy Management and launch the Group Policy Management console.

  • Navigate to Forest → Domain → Your domain → Domain Controllers.

  • Create a new GPO and link it to the domain containing the user object, or edit any existing GPO that is linked to the domain to open the Group Policy Management Editor.

  • Navigate to omputer Configuration → Windows Settings → Security Settings → Local Policies → Audit Policy.

  • The Audit Policy lists all of its sub-policies in the right panel, as shown in Figure 1.

  • Select the policies you want to enable for both its successful and failure events. In the event of multiple failures, the organisation can initiate security protocol, if necessary.

  • Click Apply and OK to close Properties window.

  • Step 3: Configuring the advanced audit policy
  • Launch Server Manager in your Windows Server instance.

  • Under Manage, select Group Policy Management and launch the Group Policy Management console.

  • Navigate to Computer Configuration → Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration. Select Audit Policies.

  • Force audit policy subcategory settings to override audit policy category settings in Group Policy to make sure that basic auditing is disabled.

  • Decide on the policies you want to enable and select both Success and Failure options.

  • Step 4: View events using Windows Event Viewer
    • After enabling the auditing, you can use Event Viewer to see the logs and investigate events. Follow the below mentioned steps:
      1. Click on Start → Administrative Tools → Event Viewer
      2. Click Windows Logs and select Security. You will see all the events logged in security logs.
      3. Make a search using Find option to see events for a specific privileged account or create a custom view to show the events generated by a particular user only.

Native auditing becoming a little too much?

Simplify Active Directory auditing and reporting with ADAudit Plus.

Get Your Free Trial Fully functional 30-day trial

Related How-tos

Request Support


One of our solution experts will get in touch with you shortly.

    Please enter business email address
  • By clicking 'Send Request', you agree to processing of personal data according to the Privacy Policy.

© 2019 Zoho Corp. All rights reserved.