Jared Heinrichs

You are here: Home / Operating System / Active Directory (2003) / How to setup Active Directory auditing

By Leave a Comment

How to setup Active Directory auditing

There are many reasons to setup Active Directory Auditing. The most common reason is to track changes to user/computer accounts in Active Directory. There are two things you have to do in order to setup Active Directory auditing.

  1. You have to enable Auditing Policy (specifically Audit Directory Service) on either the domain Controller Policy or the Default Domain Policy. I recommend the Domain Controller Policy.
  2. You have to turn on Auditing component on the Object(s) you want to audit.

How to setup/Enable Audit Directory Service

Here are the steps to Enable the Audit Directory Service.

  1. Right click the Domain Controller Policy. Select. “Edit…”
  2. Go to “Computer Configuration” – “Windows Settings” – “Security Settings” – “Local Policies” – “Audit Policy”
  3. Double click “Audit Directory Service Access”
  4. All the boxes should be selected. ie. “Define these policy settins”. Audit These attempts “Success” & “Failure”.

How to turn on Auditing on specific Active Directory Objects

Here are the steps to turn on Auditing on AD obejcts:

  1. Open Active Directory Users and Computers
  2. Go to View and make sure “Show advance features” is enabled.
  3. Right click “Base OU” where you want to audit and hit Properties.
  4. Click on Security Tab”. (If you don’t see this go back to step #2)
  5. Click “Advanced” button near the bottom of the Window.
  6. Click on “Auditing” tab in the new Window.
  7. Click on “Add..” button
  8. Select “Authenticated Users” group
  9. Check off Successful and Failed for the Write all Properties. Make sure that “This object and all descendant objects” is selected.
  10. Click “Ok”
  11. Click “Ok”

How to View Active Directory Auditing Logs

Now that you’ve set this up you might be wondering “Where do I go to see all this auditing now? If you did you would have asked a really good question.

To view the Active Directory Auditing logs you need to open “Server Manager” – “Diagnostics” – “Windows Logs” – “Security”

  • 4726 Message – This code is for deleting a user account. The user who did it will also be logged.
  • 4720 Message – This code is for creating a user account. The user who did it will also be logged.

You might want to try and filter the events based on these messages.

Leave a Reply

Your email address will not be published. Required fields are marked *

Try searching this site!