Post on 15-Aug-2020
How to Enable the Audit of Active Directory Objects in Windows 2008 R2
B 57, Sector 57
Noida, U.P.
India
201301
Phone: +91 (120) 4282353
Fax: +91 (120) 4282354
www.lepide.com
Lepide Software
B 57, Sector 57
Noida, U.P.
India
201301
Phone: +91 (120) 4282353
Fax: +91 (120) 4282354
www.lepide.com
Lepide Software
Windows 2008 R2 has much more and better features than its predecessors. It also wins in the native auditing part when it comes to audit the Active Directory objects. With granular control, you can easily figure out almost every change in the IT infrastructure. This also helps you to identify who’ve made what change, when, and from where; but needs more in-depth investigations. In this article, we’ll discuss the steps involved in enabling the audit of Active Directory Objects in Windows 2008 R2.
How to Enable Global Audit Policy
Follow below steps to enable the Global Audit Policy in Windows Server 2008 R2,
1. Go to Start > Administrative Tools > Group Policy Management. This will open the following window.
Figure: Group Policy Management
2. In the Left Hand Panel, expand Domains > (your domain) > Domain
Controllers and then click “Default Domain Controllers Policy” as show
below.
Figure: Browsing “Default Domain Controllers Policy” Node
B 57, Sector 57
Noida, U.P.
India
201301
Phone: +91 (120) 4282353
Fax: +91 (120) 4282354
www.lepide.com
Lepide Software
3 Selecting this will display a warning message that making any changes in this
policy will be global to the GPO and affect other locations.
Figure: Global Policy Modification Warning
3. Read the warning and click “OK” button to proceed.
4. You can also check the box titled “Do not show this message again”, if you
want.
5. Now, do a right click on the “Default Domain Controllers Policy” and select Edit
to display the following window.
Figure: Group Policy Management Editor
B 57, Sector 57
Noida, U.P.
India
201301
Phone: +91 (120) 4282353
Fax: +91 (120) 4282354
www.lepide.com
Lepide Software
7. You’ve to browse through Computer Configurations > Policies > Windows
Settings > Security Settings > Local Policies > Audit Policy, to access the
auditing policies as show herein below.
Figure: Audit Policy
8. Here, you can access the following audit policies.
i) Audit account logon events
ii) Audit account management
iii) Audit directory service access
iv) Audit logon events
v) Audit object access
vi) Audit policy change
vii) Audit privilege use
viii) Audit process tracking
ix) Audit system events
9. Double click “Audit directory service access” to display the following dialog
box.
B 57, Sector 57
Noida, U.P.
India
201301
Phone: +91 (120) 4282353
Fax: +91 (120) 4282354
www.lepide.com
Lepide Software
Figure: Properties of the “Audit directory service access” policy
10. Check “Define these policy settings” and then check both “Success” and
“Failure” attempts.
11. Click “Apply” and “OK” button to enable the “Audit directory service access”
auditing.
12. (Optional) In the similar way, you can enable the auditing of other available
policies.
B 57, Sector 57
Noida, U.P.
India
201301
Phone: +91 (120) 4282353
Fax: +91 (120) 4282354
www.lepide.com
Lepide Software
Enabling the Advanced Audit Policies 1. In the same Group Policy Management Editor, go to Computer Configuration >
Policies > Windows Settings > Security Settings > Advanced Audit Policy
Configuration. This contains a node titled “Audit Policies”, which contains the
auditing policies’ subcategories.
Figure: Advanced Audit Policy Configuration node
2. Expand the node “Audit Polices” to access the nodes, which are the categories of
events in fact. Each category contains the advanced polices, which has to be
enabled one-by-one. The categories are listed herein below: -
a. Account Logon
b. Account Management
c. Detailed Tracking
d. DS Access
e. Logon/Logoff
f. Object Access
g. Policy Change
h. Privilege Use
i. System
j. Global Object Access Auditing
3. All of the sub-categories inside above categories have to be enabled. Let us
assume an example to enable a policy “Audit Detailed File Share” in the
“Object Access” category. You’ve to follow the similar steps to enable all other
policies in each category one-by-one.
a. Select the node “Object Access”
Figure: Object Access node in Advanced Audit Policy Configuration
b. Now, double click “Audit Detailed File Share” policy in the Right Hand
Panel to access its Properties.
Figure: Audit Detailed File Share Properties
B 57, Sector 57
Noida, U.P.
India
201301
Phone: +91 (120) 4282353
Fax: +91 (120) 4282354
www.lepide.com
Lepide Software
c. Check the box titled “Configure the following audit events”.
d. Select both the “Success” and “Failure” events.
e. Click “Apply” and “OK” buttons respectively to enable this auditing.
Enabling the Auditing of Objects
1. Go to the Start Menu > All Programs > Administrative Tools >Active Directory
Users and Computers to access the following window.
Figure: Active Directory Users and Computers
2. Go to the (your domain) > Domain Controllers and right click on the
organizational unit.
3. Select “Properties” to display the following dialog box.
Figure: OU Properties
4. Go to the “Security” tab.
B 57, Sector 57
Noida, U.P.
India
201301
Phone: +91 (120) 4282353
Fax: +91 (120) 4282354
www.lepide.com
Lepide Software
B 57, Sector 57
Noida, U.P.
India
201301
Phone: +91 (120) 4282353
Fax: +91 (120) 4282354
www.lepide.com
Lepide Software
Figure: Security Tab
5. Click “Advanced” button on the bottom to access the following dialog box.
Figure: Advanced Security Settings
B 57, Sector 57
Noida, U.P.
India
201301
Phone: +91 (120) 4282353
Fax: +91 (120) 4282354
www.lepide.com
Lepide Software
6. Switch to the “Auditing” tab.
Figure: Auditing Tab
7. In this tab, you can select the users, on which the auditing has to be enabled,
and select their events to be audited. By default, auditing for “Success” events
is enabled on “Everyone”.
8. If you want to specify the auditing for a particular user, then click on “Add”
button to display the following dialog box for adding that user.
Figure: Dialog box to add a user
9. Enter the name of the user in the large textbox at the bottom and click “Check
Names” to let the system to identify the correct name of the entered user.
10. Click “OK” to proceed further with the following dialog box.
B 57, Sector 57
Noida, U.P.
India
201301
Phone: +91 (120) 4282353
Fax: +91 (120) 4282354
www.lepide.com
Lepide Software
Figure: Auditing Entry dialog box
11. It is suggested to select “Successful” and “Failed” for all the listed accesses.
12. Click on “Apply these auditing entries to objects and/or containers within this
container only” to enable the auditing of all the objects/containers in the selected
container.
13. Click “OK” button to enable the auditing. This will take you back to the same
“Auditing” tab of Advanced Security Settings.
14. If you want to edit the auditing settings for a particular user, then select it and click
“Edit” button. This will display the same “Audit Entry” dialog box and you can
follow the above steps to enable the modified auditing for an existing user.
15. To reset the modified auditing settings, you can click “Restore Defaults” button.
16. Click “Apply” and “OK” button to apply the auditing settings. This will take you
back to the Properties dialog box of the OU.
17. Click on “OK” button”.
B 57, Sector 57
Noida, U.P.
India
201301
Phone: +91 (120) 4282353
Fax: +91 (120) 4282354
www.lepide.com
Lepide Software
Performing the Audit
After enabling the Active Directory auditing, all the events for the changes in Active
Directory and in the selected Organizational Unit will be recorded. You can use the
traditional Event Viewer to browse the events and to conduct the auditing.
Third Party Tool
If you face hardships to enable the auditing with too many steps and then to deal with
the logged events containing difficult-to-read information, then it is advised to make of
trusted third party tools for Active Directory auditing. We offer a better option than
others do for this purpose. We’re talking about LepideAuditor for Active Directory
(LAAD). This next-gen tool has awesome features like in-depth tracking of the changes
in state and values of objects, power to reinstate the states of the objects to the
working states in case of any emergency, and to create long audit trails for any change.
With a centralized solution to monitor all the domains at a common platform and long-
term storage of logs, it lets you clearly identify the before- and after- values of each
change.
Conclusion
You can follow the above-mentioned steps to enable the native auditing of Active
Directory objects in any domain. Afterwards, you can use Event Viewer to see all the
logged events for any change in the AD environment. If you face any kind of difficulty
with the native auditing, then you can go for LepideAuditor for Active Directory – a
paid tool with extraordinary features.