Support
 
Phone Get Quote
 
Support
 
US: +1 888 720 9500
US: +1 888 791 1189
Intl: +1 925 924 9500
Aus: +1 800 631 268
UK: 0800 028 6590
CN: +86 400 660 8680

Direct Inward Dialing: +1 408 916 9892

Live Chat

Get Quote

ADAudit Plus » Get Quote

Contents

  • Enabling logging via advanced audit policies and SACLs
  • 5 points to keep in mind while enabling logging
  • Configuring event log settings
  • Event IDs to keep track of
  • Limitations of native auditing

From authenticating logons and authorizing file access, to categorizing users into groups and controlling security settings, AD serves as the backbone of an organization's IT infrastructure. Auditing provides visibility into activities happening across an AD environment and is crucial for keeping it secure and compliant.

However, auditing has a steep learning curve. This checklist provides concise information on AD auditing to simplify the process for you. It will guide you through the auditing settings to enable logging, the event IDs to track, the limitations of native auditing, and more.

Enabling logging via advanced audit policies and SACLs

Advanced audit policies and object-level auditing settings, also called system access control lists (SACLs), should be configured to ensure that events are logged whenever any AD activity occurs.

Advanced audit policies should be configured for computers and can be accomplished using the Group Policy Management Console (GPMC). In a Group Policy Object (GPO), advanced audit policies can be found under: Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policy.

The categories of settings that need to be configured for AD auditing are:

  • Account Logon: Monitors attempts to authenticate account data on a domain controller or on a local Security Account Manager.
  • Account Management: Monitors changes to user and computer accounts and groups.
  • Detailed Tracking: Monitors the activities of individual applications and users on a computer and shows how that computer is being used.
  • DS Access: Provides a detailed audit trail of attempts to access and modify objects in Active Directory Domain Services.
  • Logon/Logoff: Tracks attempts to log on to a computer interactively or over a network.
  • Object Access: Tracks attempts to access specific objects or types of objects on a network or computer.
  • Policy Change: Tracks changes to important security policies on a local system or network.
  • System: Tracks system-level changes to a computer that are not included in other categories and that have potential security implications.

SACLs should be configured for secured objects such as users, groups, OUs, and GPOs. SACLs can be configured using Active Directory Users and Computers by accessing the Advanced Security Settings of an object's properties.

5 points to keep in mind while enabling logging

  • Enable force audit policy subcategory settings

    This ensures advanced audit policy settings are applied over basic audit policy settings. To do this, navigate to Local Policies > Security Options, and enable "Audit: Force audit policy subcategory settings" to override audit policy category settings.

    Note: Microsoft recommends configuring advanced audit policy settings on systems running Windows Server 2008 R2 and above, or Windows 7 and above.

  • Specify success or failure events for each setting:

    For each advanced audit policy setting, you can choose to log successes, failures, both, or neither.

  • Link the GPO appropriately:

    To enable logging on all computers in a domain, link the GPO containing the advanced audit policy settings to the domain. To enable logging on specific computers, link the GPO to an OU that contains those computers.

  • Plan carefully before selecting audit settings:

    Choose the settings based on the activities, resources, and users you want to track, and consider the event volume each setting generates. Poor planning can either cause you to miss critical activities or flood you with too many events, making it harder to identify suspicious activity.

  • View a consolidated list of auditing settings:

    Run the Group Policy Results Wizard from GPMC to view the effective audit settings that will be applied.

    Note: Microsoft does not provide a tool to consolidate and display all SACLs across an environment.

Configuring event log settings

Event log settings should be configured to ensure that events are stored properly. If the event log size is too small, events might be overwritten, and audit data could be lost.

To prevent this:

  • Increase the maximum size of the event logs.
  • Set the retention method to Overwrite events as needed.

Note: It is recommended that event logs hold at least 12 hours of audit data of your environment.

A one-stop solution for all your IT auditing, compliance, and security needs

ManageEngine ADAudit Plus provides capabilities like change auditing, logon monitoring, file tracking, compliance reporting, attack surface analysis, response automation, and backup and recovery for diverse IT systems.

Active Directory | Microsoft Entra ID | Windows file servers | NAS file servers | Windows servers | Workstations | And more

Download now

Event IDs to keep track of

There are hundreds of events related to AD auditing. Some of the most important ones include:

Audit logon

  • 4624: An account was successfully logged on
  • 4625: An account failed to log on

Audit user account management

  • 4720: A user account was created
  • 4722: A user account was enabled
  • 4724: An attempt was made to reset an account's password
  • 4725: A user account was disabled
  • 4726: A user account was deleted
  • 4740: A user account was locked out
  • 4767: A user account was unlocked

Audit computer account management

  • 4743: A computer account was deleted

Audit security group management

  • 4727, 4731, and 4754: A security-enabled group was created
  • 4728, 4732, and 4756: A member was added to a security-enabled group
  • 4729, 4733, and 4757: A member was removed from a security-enabled group
  • 4730, 4734, and 4758: A security-enabled universal group was deleted
  • 4764: A group’s type was changed

Audit directory service access

  • 4662: An operation was performed on an object

Audit detailed directory service replication

  • 4928, 4929, and 4930: An Active Directory replica source naming context was changed

Other events

  • 1102: The audit log was cleared
  • 4660: An object was deleted
  • 4663: An attempt was made to access an object
  • 4670: Permissions on an object were changed

ADAudit Plushelps audit all of the above events. It transforms the data contained in these events into insightful reports and real-time alerts with just a few clicks.

Limitations of native auditing

Limitation 1:Log aggregation

Event logs do not get replicated, making it impractical for admins to manually review logs on each computer. To centralize auditing, logs must be aggregated. Windows Event Forwarding (WEF) can send specific events to a Windows Event Collector server. However, setting up WEF requires expertise, considering factors like system health, cross-domain forwarding, load balancing, and event subscriptions.

ADAudit Plus compiles data from all configured computers across the domain and provides a central repository of audit information with just a few clicks.

Limitation 2:Critical activity detection

Each Windows activity generates multiple events. For example, a simple logon creates events on both the workstation and the DC. With many users and activities, event volume quickly becomes overwhelming, making it hard to spot critical actions manually. Task Scheduler and PowerShell can trigger emails for specific event IDs, but Windows can't flag unusual patterns, like a logon from a disabled account.

ADAudit Plus' alerts let you define thresholds based on the volume, time, and other criteria todetect critical activities such as logons from a disabled account. You can get instantly notified via email and SMS of such activities. UBA can be leveraged to establish activity patterns and spot subtle anomalies, such as an unusual volume of privileged user activity, that go under the radar of conventional detection systems. You can also execute scripts to automate response actions, like shutting down a device to mitigate the impact of a security incident.

Limitation 3:Audit report generation

Windows events often provide limited information. For example, AD attribute changes are split across events, requiring manual correlation. Regulations demand capturing such details in real time. While PowerShell can help correlate events and resolve GPO names, it requires deep expertise, extensive testing, and isn't ideal for real-time auditing, especially in large environments.

ADAudit Plus' built-in reports provide real-time information on the before and after values of AD changes. You can also automate the generation and delivery of built-in reports to pass compliance audits with ease.

Streamline auditing, demonstrate compliance, and detect threats across hybrid AD, cloud, and file environments in just a few clicks with ADAudit Plus.

Schedule a demo
 

ADAudit Plus Trusted By

Meet all auditing and IT security needs with ADAudit Plus.

  • Active Directory
  • File servers
  • Windows server
  • Workstation
  • Compliance
  • Related Products

A single pane of glass for complete Active Directory Auditing and Reporting

Free Trial Get Quote