Support
 
Phone Get Quote
 
Support
 
US: +1 888 720 9500
US: +1 888 791 1189
Intl: +1 925 924 9500
Aus: +1 800 631 268
UK: 0800 028 6590
CN: +86 400 660 8680

Direct Inward Dialing: +1 408 916 9892

 

Configure audit polices - Manual Process

1. Configure list of Windows workstations to be audited

Configure the list of Windows workstations to be audited using the steps below:

  • Go to Start > Active Directory Users and Computers.
  • Right-click the domain and select New > Group.
  • In the New object - Group window that opens, type in "ADAuditPlusWS" as the Group name, check Group scope: Global and Group type: Security. Click OK.
  • Right-click the newly created group, then select Properties > Members > Add. Add all configured workstations as a member of this group. Click OK.
  • Using domain admin credentials, log in to any computer that has the Group Policy Management Console (GPMC) on it.
  • Note: The GPMC will not be installed on workstations and/or enabled on member servers by default, so we recommend configuring audit policies on Windows domain controllers. Otherwise follow the steps in this page to install GPMC on your desired member server or workstation.

  • Go to Start > Windows Administrative Tools > Group Policy Management.
  • In the GPMC, select Domains and right-click the domain you want to configure Group Policy for. Select Create a GPO in this domain, and Link it here... In the New GPO window that opens, type in "<domain name>_ADAuditPlusWSPolicy" and click OK.
  • Select the GPO <domain name>_ADAuditPlusWSPolicy. Under Security Filtering, select Authenticated Users. Click Remove. In the Group Policy Management window that opens, select OK.
  • Select the <domain name>_ADAuditPlusWSPolicy GPO. Under Security Filtering, click Add and choose the security group ADAuditPlusWS created previously. Click OK.
2. Advanced audit policies

Configure the audit policies manually using the steps below:

  • Using domain admin credentials, log in to any computer that has the GPMC on it.
  • Go to Start > Windows Administrative Tools > Group Policy Management.
  • Right-click the GPO <domain name>_ADAuditPlusWSPolicy and select Edit.
  • In the Group Policy Management Editor, follow the steps below:
  • Note:Advanced audit policy configuration is only available in Windows Server 2008 or later. If you have an older version of Windows, configure legacy audit policies. It is recommended that you configure advanced audit policies instead of legacy audit policies to prevent storing needless event data logs, as the legacy policies contain more unwanted events.

  • Choose Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies.
  • Click, enable, and save the audit policies as shown below:
  • General Settings under the Admin tab
    Advanced audit policy Audit events
    Category Subcategory  
    Account Management Audit Computer Account Management Success
    Audit Distribution Group Management Success
    Audit Security Group Management Success
    Audit User Account Management Success and failure
    Detailed Tracking Audit PNP Activity Success and failure
    Logon/Logoff Audit Logoff Success
    Audit Logon Success and failure
    Audit Network Policy Server Success and failure
    Audit Other Logon/Logoff Events Success and failure
    Object Access Audit File Share Success and failure
    Audit File System Success and failure
    Audit Handle Manipulation Success
    Audit Other Object Access Events Success
    Audit Removable Storage Success and failure
    Policy Change Audit Authentication Policy Change Success
    Audit Authorization Policy Change Success
    System Audit Security State Change Success
3. Force advanced audit policy changes

Force the advanced audit policies manually using the steps below:

  • Right-click the <domain name>_ADAuditPlusWSPolicy from GPMC.
  • In the Group Policy Management Editor, follow the steps below:
  • Choose Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options > Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings.
  • General Settings under the Admin tab
  • Enable the policy and click OK.
4. Legacy audit policies

Configure the legacy audit policies manually using the steps below:

  • Go to Start > Windows Administrative Tools > Group Policy Management.
  • Right-click the GPO <domain name>_ADAuditPlusWSPolicy and select Edit.
  • In the Group Policy Management Editor, follow the steps below:
  • Note:Advanced audit policy configuration is only available in Windows Server 2008 or later. If you have an older version of Windows, configure legacy audit policies. It is recommended that you configure advanced audit policies instead of legacy audit policies to prevent storing needless event data logs, as the legacy policies contain more unwanted events.

  • Choose Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Audit Policies.
  • Click, enable, and save the audit policies as shown below:
  • General Settings under the Admin tab
    Local audit policy Audit Events
    Category  
    Audit account management Success and failure
    Audit logon events Success
    Audit object access Success and failure
    Audit policy change Success
    Audit system events Success

ADAudit Plus Trusted By

A single pane of glass for complete Active Directory Auditing and Reporting