1.Audit account management
2.Audit directory service access
Audit account management
The Audit account management events provides the high level auditing of user,computer and group maintenance changes. This policy makes to log the events for the following maintenance related changes.
- Created and Deleted
- Enabled and Disabled
- Password Change
- Password Reset
- Locked out
- Unlocked
- Rename
- Members Added
- Members Removed
Audit directory service access
Audit directory service access events provides the low-level auditing for all types of objects in AD. Directory service access events not only logs the information of an object that was accessed and by whom but also logs exactly which object properties were accessed. Since the Audit directory service access policy makes to log the events for changes on every object we must enable auditing on object level and audit policy at the system level.
Enable Audit Policy for AD Change Audit
To enable Audit Policy settings in every Domain Controller, We need to configure audit settings in Default Domain Controllers Policy, or you can create new GPO and links it to the Domain Controllers OU via GPMC console, or else you can configure the corresponding policies on Local Security Policy of every Domain Controllers which are in the domain that you are going to enable change auditing.
6. Run the command gpupdate /force from command prompt to update group policy settings.
Enable Object Level Security Audit
As we discussed earlier about Audit directory server access, Since the Audit directory service access policy makes to log the events for every object change we must enable auditing on object level. You can enable auditing on single object, or OU level, or Domain level.
1. Press the key ‘Window’ + ‘R’
2. Type the command dsa.msc, and click OK.
Note: Skip the above steps by clicking Start –>Administrative Tools –>Active Directory Users and Computers.
3. Right-click the Domain object, and click the properties
8. Click the button OK, and click Apply.
Now we have successfully configured the change auditing for complete Active Directory domain.You can see the Security event logs for whatever the changes happened in every AD objects.
Audit directory service changes
Besides these two policy settings, we can also fine tune the auditing by Audit directory service changes which is available from Windows Server 2008 R2 and later versions.The events which are comes under this category includes the extra details like Old Value and New Value of the changed properties.This Advanced Audit Policy comes under the subcategory of DS Access.
You can enable Advanced Audit Policy setting in the following two ways.
1. Go to the node DS Access (Computer Configuration->Policies->Windows Settings->Security Settings->Advanced Audit Policy Configuration -> DS Access)
2. Now edit Audit directory service changes as success as shown in below image.
You can also enable this Advanced Audit policy setting by using Auditpol.exe.
Run this command in an elevated command prompt:
Auditpol /set /subcategory:"Directory Service Changes" /success:enable
You can refer this article https://www.morgantechspace.com/2013/08/active-directory-change-audit-events.html to know about various Event IDs.
Note : This article is applies to Windows Server 2003, Windows Server 2008,Windows Server 2008 R2 and Windows Server 2012.
Related Articles:
– How password policy works in Active Directory
– Account Lockout Policy in Active Directory
– Logon/Logoff Events in Active Directory
– Active Directory Change Event IDs
– LastLogon vs LastLogonTimeStamp
– How to create Fine Grained Password Policy
Thanks,
Morgan
Software Developer
Hi! really usefull info, nevertheless im having troubles when I check the security events, there´s no event associated to the creation of any account, I´ve been creating and deleting user, under a specific OU and I still haven´t been able to see it on event viewer 🙁
great article, thanks