Support
 
Phone Get Quote
 
Support
 
US: +1 888 720 9500
US: +1 888 791 1189
Intl: +1 925 924 9500
Aus: +1 800 631 268
UK: 0800 028 6590
CN: +86 400 660 8680

Direct Inward Dialing: +1 408 916 9892

 

Configure audit policies in your domain

Audit policies must be configured to ensure that events are logged whenever any activity occurs.

Manual configuration

1. Create a Global Security Group to add the file servers to be audited

Open ADUC, and create a new Global Security Group “ADAuditPlusFS.” → Add the file servers to be audited to this newly created group.

2. Create a new GPO to define the audit configurations
  • Open the Group Policy Management Console (GPMC) → Create a new GPO named “ADAuditPlusFSPolicy” and referenced throughout this document as <ADAuditPlusFSPolicy>.
  • To link <ADAuditPlusFSPolicy> at the domain level open GPMC, right-click on the domain, and select Link an Existing GPO → Select <ADAuditPlusFSPolicy>.
3. Apply audit settings only to the list of file servers that need to be audited
  • Click ADAudit PlusMSPolicy, navigate to the right panel, and then select the Delegation tab → Advanced → Authenticated Users. Remove the Apply Group Policy permission.
  • Apply audit settings only to the list of file servers that need to be audited
  • Add the ADAuditPlusFS group to the Security Filtering settings of the <ADAuditPlusFSPolicy> GPO.
4. Configure advanced audit policies

Advanced audit policies help administrators exercise granular control over which activities get recorded in the logs, helping cut down on event noise. We recommend configuring advanced audit policies on Windows Server 2008 and above.

  • To set this up, edit <ADAuditPlusFSPolicy> by right-clicking on the policy and selecting Edit.
  • Navigate to Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration, and configure the following settings.
Category Sub category Audit Events Purpose
Object Access
  • Audit File System
  • Audit File Share
  • Audit Handle Manipulation
  • Success, Failure
  • Success
  • Success, Failure
  • File share auditing
Configure advanced audit policies
5. Force audit policy

When using advanced audit policies, ensure that they are forced over legacy audit policies.

  • Enable Force audit policy subcategory settings in <ADAuditPlusFSPolicy>.
  • Navigate to Computer Configuration > Windows Settings > Security Settings > Local Polices > Security Options > Audit: Force audit policy subcategory settings (Windows Vista or later) to override the audit policy category settings.
Forcing advanced audit policies
6. Configure legacy audit policies

Due to the unavailability of advanced audit policies in Windows Server 2003 and earlier versions, legacy audit policies need to be configured for these types of servers.

  • To set this up, edit <ADAuditPlusFSPolicy> by right-clicking on the policy and selecting Edit.
  • Navigate to Configuration > Windows Settings > Security Settings > Audit Policy Configuration, and configure the following settings.
Category Audit Events Purpose
Object Access
  • Success, Failure
  • File share auditing
  • File integrity monitoring
Audit policies

ADAudit Plus Trusted By

A single pane of glass for complete Active Directory Auditing and Reporting