Registry (Global Object Access Auditing)

Active Directory Auditing Tool

The Who, Where and When information is very important for an administrator to have complete knowledge of all activities that occur on their Active Directory. This helps them identify any desired / undesired activity happening. ADAudit Plus assists an administrator with this information in the form of reports. In real-time, ensure critical resources in the network like the Domain Controllers are audited, monitored and reported with the entire information on AD objects - Users, Groups, GPO, Computer, OU, DNS, AD Schema and Configuration changes with 200+ detailed event specific GUI reports and email alerts.

Object Access » Registry (Global Object Access Auditing)

A brief look at security monitoring recommendations for many audit events

Registry (Global Object Access Auditing) allows IT administrators to configure a global system access control list (SACL) on the registry of a computer.

On selecting select the Configure security check box on this policy’s property page, you can add a user or group to the global SACL. This configuration enables you to define computer SACLs per object type for the registry. The defined SACL is then automatically applied to every registry object type.

This policy setting must be used along with the Registry security policy setting under Object Access.

Step1: How to setup auditing of Global Object Access

  • Use domain credentials that has permissions to edit Group Policy Objects to login to Windows Server.
  • Go to Server Manager >Tools >Group Policy Management. This opens up Group Policy Management Console (GPMC).
  • In the left pane of GPMC, expand the AD forest node>Domains folder> the AD domain. Right-click the Group Policy Objects folder and select New from the menu.
  • Enter the new GPO name in the GPO dialog box. Set Source Starter GPO field set 'None' and select OK.
  • The newly created GPO appears in the right pane of GPMC. Right-click this GPO and select Edit from the menu.
  • In the Group Policy Management Editor window's left pane, expand Computer Configuration>Policies>Security Settings>Advanced Audit Policy Configuration>Audit Policies.
  • Click Object Access in the list of audit settings.
  • In the right pane, double-click Audit File System.
  • In the Audit File System Properties dialog, check Configure the following audit events.
  • Check Success, Failure and click OK.
  • Select Global Object Audit Access in the Group Policy Management Editor window.
  • Double-click File system present in the right pane of the editor window,
  • In the File system Properties dialog, check Define this policy setting on the Policy tab and select Configure.
  • In the Advanced Security Settings for Global File SACL dialog, click Add.
  • In the Auditing Entry for Global File SACL dialog box, choose Select a principal.
  • In the Select User, Computer, Service Account, or Group dialog box, type Everyone in the box under 'Enter the object name' to select and click OK.
  • Ensure that Success is selected in the Type menu.
  • In the Auditing Entry for Global File SACL dialog box click Clear all and then select only Delete under the Permissions.
  • Click Add a condition present at the bottom of the dialog. Ensure that you select 'User' in the first drop-down menu.
  • In the second drop-down menu, select Department.
  • In the third-drop down, choose Equals. In the fourth drop-drown box, ensure that Value is selected.
  • At the end of the new condition, select Human Resources (or desired department) from the drop-down menu.
  • Click OK in the Auditing Entry dialog, again in the Advanced Security Settings dialog, and also more in the File system Properties dialog.
  • Close the Group Policy Management Editor window.
  • In the GPMC, right click the desired domain and choose Link an Existing GPO from the menu.
  • In the Select GPO dialog, select the GPO you just created and click OK.

To verify that configuration is a success, delete a file that falls under the Human Resources department

  • You can check for the event at Event Viewer >Windows Logs> the Security log.
  • Event 4663 should be generated displaying important information on who performed the operation and when the file was deleted.

About ADAudit Plus

ADAudit Plus is a real time change auditing software that helps keep your Active Directory, Azure AD, Windows file servers, NetApp filers, EMC file systems, Synology file systems, Windows member servers, and workstations secure and compliant. With ADAudit Plus, you can get visibility into:

  • Authorized and unauthorized AD management changes
  • User logons, logoffs, and account lockouts
  • GPO changes
  • Group attribute and membership changes
  • OU changes
  • Privileged access and permission changes
  • Azure AD logons, and changes to roles, groups, and applications
  • PowerShell scripts and modules

among other things.

There are more than 200 event-specific reports, and you can configure instant email alerts. You can also export the reports to XLS, HTML, PDF and CSV formats to assist in interpretation and forensics. For more information on ADAudit Plus, visit: https://www.manageengine.com/active-directory-audit/.

Explore Active Directory auditing and reporting with ADAudit Plus.

  •  
  •  
  •  
  • By clicking 'Schedule a personalized demo' you agree to processing of personal data according to the Privacy Policy.
Account Management Auditing
Active Directory Auditing
Windows Server Auditing