For AD, Windows Server, and Workstation auditing

Overview

ADAudit Plus instantly starts to audit activities upon providing Domain Admin credentials. If you do not want to provide Domain Admin credentials, follow the steps laid out in this guide to set-up the service account to have only the least privileges required for auditing your environment.

Note: If you want to configure multiple domains in ADAudit Plus, we recommend creating separate service accounts for each individual domain.

New user, group, and GPO creation

Create a new user

• Log in to your Domain Controller with Domain Admin privileges → Open Active Directory Users and Computers → Right click on your domain → New → User → Name the user as "ADAudit Plus".

Create a new group

• Log in to your Domain Controller with Domain Admin privileges → Open Active Directory Users and Computers → Right click on your domain → New → Group → Name the group as "ADAudit Plus Permission Group".
• Add all the audited computers as members of the "ADAudit Plus Permission Group":Right click on the "ADAudit Plus Permission Group" → Properties → Members → Add all the Domain Controllers, Windows servers and workstations that you wish to audit.

Create a new domain level GPO and link it to all the audited computers

Since configuring permissions on individual computers is an elaborate process, a domain level GPO is created and applied on all monitored computers.

• Log in to your Domain Controller with Domain Admin privileges.
• Create a new domain level GPO:

Open the Group Policy Management Console → Right click on your domain → Create a GPO in this domain and link it here → Name the GPO as"ADAudit Plus Permission GPO"

• Remove Apply group policy permission for Authenticated Users group:

Click on the "ADAudit Plus Permission GPO" → Navigate to the right panel, click on the Delegation tab → Advanced → Click on Authenticated Users → Remove the Apply group policy permission.

• Add the "ADAudit Plus Permission Group" to the security filter settings of the "ADAudit Plus Permission GPO":

Open the Group Policy Management Console → Domain → Select the "ADAudit Plus Permission GPO" → Navigate to the right panel, click on the Delegation tab → Advanced → Add "ADAudit Plus Permission Group" → Check Apply group policy.

Privileges/permissions required for event log collection

1. Grant the user the Manage auditing and security log right

The Manage auditing and security log right allows the user to define object level auditing.

• Log in to your Domain Controller with Domain Admin privileges→ Open the Group Policy Management Console → Right click on the "ADAudit Plus Permission GPO" → Edit.
• In the Group Policy Management Editor → Computer Configuration → Policies → Windows Settings → Security Settings → Local Policies → User Rights Assignment.
• Navigate to the right panel, right click on Manage auditing and security log → Properties →Add the "ADAudit Plus" user.

2. Make the user a member of the Event Log Readers group

Members of the event log readers group will be able to read the event logs of all the audited computers.

• For Domain Controllers :

Log in to your Domain Controller with Domain Admin privileges → Open Active Directory Users and Computers → Builtin Container → Navigate to the right panel, right click on Event Log Readers → Properties → Members →Add the "ADAudit Plus" user.



• For other computers (Windows servers and workstations):

a.Log in to your Domain Controller with Domain Admin privileges→ Open the Group Policy Management Console → Right click on the "ADAudit Plus Permission GPO" → Edit.

b. In the Group Policy Management Editor → Computer Configuration →Preferences → Control Panel Settings → Right click on Local Users and Groups → New → Local Group → Select Event Log Readers group under group name → Add the "ADAudit Plus" user.

• Log in to your Domain Controller with Domain Admin privileges → Open the Group Policy Management Console → Right click on the "ADAudit Plus Permission GPO" → Edit.
• In the Group Policy Management Editor → Computer Configuration → Policies → Windows Settings → Security Settings → Right-click Registry → Add Key.
• In the Select Registry Key Window, navigate to MACHINE → SYSTEM → CurrentControlSet → Services → EventLog → Security → Click OK → Grant Read permission to "ADAudit Plus" user → Click Apply.
• In the Add Object window, select Configure this key then → Replace existing permissions on all subkeys with inheritable permissions → Click OK.

3. Grant the Event Log Readers group direct access to a specific event log channel

Follow the steps below to grant the Event Log Readers group direct read access to the security log using the wevtutil command-line utility.

• Log in to the target server. Open the Command Prompt as administrator.
• Run the following command to retrieve the current channelAccess value of the security log:

  wevtutil gl "security"

  Note: The same process applies to other logs by replacing the log name accordingly.

• Copy the channelAccess value to the clipboard for further modification.



• Edit the channelAccess value you copied by adding the following entry at the end to grant read access to the Event Log Readers group:

  (A;;0x1;;;S-1-5-32-573)

  Here, A;;0x1;;; specifies read access, and S-1-5-32-573 is the SID for the Event Log Readers group.

• Then use the following command to apply the updated permissions:

  wevtutil sl "security" /ca:<paste_updated_channel_access_value>

  Taking our example, the command would be:

  wevtutil sl "security" /ca:O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)



• Verify the update by executing the following command and ensure that the output contains the Event log readers group's SID (A;;0x1;;;S-1-5-32-573).

  wevtutil gl "security"

• On the machine where ADAudit Plus is installed, open Event Viewer and verify that the security log is now accessible.

Privileges/permissions required for automatic audit policy and object level auditing configuration

Privileges/permissions required for Domain Controller auditing configuration

Granting the service account the following privileges/permissions, allows ADAudit Plus to automatially configure the required audit policy and object level auditing settings in your environment. ADAudit Plus does this by pushing the required settings via GPO, to the group which contains all the monitored computers.

• Log in to your Domain Controller with Domain Admin privileges → Open the Group Policy Management Console → click on Default Domain Controllers Policy → Navigate to the right panel, click on the Delegation tab → Add the ADAudit Plus User → Provide permission to Edit settings.

  

Privileges/permissions required for member server, workstation, and file server auditing configuration

Make the user a member of the Group Policy Creator Owners group

• Log in to your Domain Controller with Domain Admin privileges → Open Active Directory Users and Computers → Click on Users → Navigate to the right panel, right click on Group Policy Creator Owners group → Add the "ADAudit Plus" user as a member.

  

Grant the user, group management permissions

• Log in to your Domain Controller with Domain Admin privileges → Open Active Directory User and Computers.

  Click on View and ensure that Advanced Features is enabled. This will display the advanced security settings for selected objects in Active Directory Users and Computers.

• Right-click Users → Properties → Security → Advanced → Permissions → Add → In the Permissions Entry for Users window, Select a principal: ADAudit Plus user → Type: Allow → Applies to: This object and all descendant objects → Select permissions: Create Group objects and Delete Group objects.

  Note: Use Clear all to remove all permissions and properties before selecting the mentioned permissions.

  

• From the Active Directory User and Computers console → Right-click Users → Properties → Security → Advanced → Permissions → Add → In the Permission Entry for Users window → Select a principal: ADAudit Plus user → Type: Allow → Applies to: Descendant Group objects → Select property: Write Members.

Note: Use Clear all to remove all permissions and properties before selecting the mentioned property.