Active Directory How-To pages

Active Directory Auditing Tool
Get Your Free Trial Free, fully functional 30-day trial
Active Directory Auditing Tool

The Who, Where and When information is very important for an administrator to have complete knowledge of all activities that occur on their Active Directory. This helps them identify any desired / undesired activity happening. ADAudit Plus assists an administrator with this information in the form of reports. In real-time, ensure critical resources in the network like the Domain Controllers are audited, monitored and reported with the entire information on AD objects - Users, Groups, GPO, Computer, OU, DNS, AD Schema and Configuration changes with 200+ detailed event specific GUI reports and email alerts.

Account Management » Active Directory How-To pages

How to monitor activities performed on a computer?

When anything goes wrong on a computer, the first question is "who did it, and when". Microsoft understands this and provides a powerful event logging and auditing tool to answer this question. Use it wisely to track every action performed on a computer.

Configure your audit policy:

  1. Logon to your computer as an administrator.
  2. Run → gpedit.msc
  3. Computer configuration → Windows Settings → Security Settings → Local Policies → Audit Policies.

    how-to-monitor-last-actions-performed-on-a-computer

  4. Open each of these policies and select the Success and Failure checkboxes to ensure every single action and event is audited.

Track every user's activity:

If there's any particularly sensitive file or folder that you want to protect, configure the security settings such that every user's action on that object is logged.
Open the object's properties → Security tab → click Advanced → Auditing and add Everyone to the list, then select both Delete checkboxes. This is to make sure nobody tampers with this object and erases all trace of it.

how-to-monitor-last-actions-performed-on-a-computer-2

Keep an eye on the event logs:

If there ever comes a time where you have to trace back to the source of a problem, just turn to the event logs.

  1. Run → eventvwr.msc
  2. Open Security event log.
  3. Right-click event log and select the View → Filtercommand.
  4. Watch through the filtered event list taking into account the following information fields inside each record:
    • Object Name. The name of missing file or folder.
    • Image File Name. The name of executable which was used to delete the object in question.
    • Accesses. A set of accessed privileges.

how-to-monitor-last-actions-performed-on-a-computer-3

Now you can see every action performed on an object, who did it, and when they did it.

With the above policies configured, every activity performed on a computer can be recorded and monitored.