Support
 
Phone Get Quote
 
Support
 
US: +1 888 720 9500
US: +1 888 791 1189
Intl: +1 925 924 9500
Aus: +1 800 631 268
UK: 0800 028 6590
CN: +86 400 660 8680

Direct Inward Dialing: +1 408 916 9892

Live Chat

Get Quote

ADAudit Plus » Get Quote
 
  

The audit policies in your Active Directory give you a window to view all the activity taking place on your network. Setting up an audit policy on Windows Server allows you to view various events on Event Viewer. Based on how you configure the audit policy you can view 'success' and 'failure' events. Directory Service Access is an audit policy that allows you to view what AD objects were accessed, who accessed it, and when it was accessed. You can configure this policy either through the 'Local Policy' option or via the 'Advanced Audit Policy' option. We recommend the Advanced Policy option since it gives you more granular control over what events you want logged in Event Viewer.

How to audit Directory Service Access?

  • In the Group Policy Management Console, right-click the desired group policy, and choose 'Edit' from the menu to open up the Group Policy Management Editor.
  • Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> DS Access. Audit it for 'Success' and 'Failure'.

A breakdown of DS Access policy in Advanced Audit Policy Configuration

  • Audit Directory Service Access: When this audit policy is configured, events related to AD object access are generated. For these events to be generated, the AD object in particular should have a specified SACL. Also, the account requesting access, should match SACL requirements.
  • Audit Detailed Directory Service Replication: This audits the replication that takes place between domain controllers in the domain.
  • Active Directory Domain Services Object Changes: This policy audits the changes made to AD objects. The changes could be creation or deletion of an object, or modifications made to it.

DS Access related events to monitor:

  • 4662(S, F): An operation was performed on an object
    This event describes an operation that was performed on an object. The event is generated only if the operation meets SACL requirements.
  • 4661(S, F): A handle to an object was requested.
    This event indicates that a handle was requested for either an Active Directory object or a Security Account Manager (SAM) object.

How ADAudit Plus can help you track events

Event Viewer is the default native AD tool to view all your events. Although Event Viewer is a great tool, it is hard to look through all the messages and events, and find a particular suspicious incident. We suggest opting for an effective solution like ADAudit Plus.

ADAudit Plus is a comprehensive solution that simplifies AD auditing and reporting. It is a one-stop platform that brings together an intuitive user interface, pre-configured reports, and advanced filter options that make it easy for you to track changes to your network, and detect threats immediately. You get a fully equipped dashboard that gives you a holistic view of the various systems in your network. This way you can correlate events across the network and spot suspicious behavior.

Below are a few AD object related reports found in the 'Reports' tab in ADAudit Plus console:

Image: A report on AD Object changes in ADAudit Plus console

Image: An ADAudit Plus report on recently moved OUs

Image: Domain object changes report in ADAudit Plus console

Image: Changes to Domain Object report in ADAudit Plus console

Image: GPO permission changes report in ADAudit Plus console

ADAudit Plus is a real-time, web-based Windows Active Directory (AD) change reporting software that audits, reports and alerts on Active Directory, Windows servers and workstations, and NAS storage devices to meet the demands of security, and compliance requirements. You can track AD management changes, processes, folder modifications, permissions changes, and more with 200+ reports and real-time alerts. You can also get out-of-the-box reports for compliance mandates such as the HIPAA. To learn more, visit https://www.manageengine.com/active-directory-audit/.

More related links

     

Native auditing becoming a little too much?

Try ADAudit Plus login monitoring tool to audit, track, and respond to malicious login and logoff actions instantaneously.

Try ADAudit Plus for free

 

ADAudit Plus Trusted By

Meet all auditing and IT security needs with ADAudit Plus.

  • Active Directory
  • File servers
  • Windows server
  • Workstation
  • Compliance
  • Related Products

A single pane of glass for complete Active Directory Auditing and Reporting

Free Trial Get Quote