There are many reasons to setup Active Directory Auditing. The most common reason is to track changes to user/computer accounts in Active Directory. There are two things you have to do in order to setup Active Directory auditing.
- You have to enable Auditing Policy (specifically Audit Directory Service) on either the domain Controller Policy or the Default Domain Policy. I recommend the Domain Controller Policy.
- You have to turn on Auditing component on the Object(s) you want to audit.
How to setup/Enable Audit Directory Service
Here are the steps to Enable the Audit Directory Service.
- Right click the Domain Controller Policy. Select. “Edit…”
- Go to “Computer Configuration” – “Windows Settings” – “Security Settings” – “Local Policies” – “Audit Policy”
- Double click “Audit Directory Service Access”
- All the boxes should be selected. ie. “Define these policy settins”. Audit These attempts “Success” & “Failure”.
How to turn on Auditing on specific Active Directory Objects
Here are the steps to turn on Auditing on AD obejcts:
- Open Active Directory Users and Computers
- Go to View and make sure “Show advance features” is enabled.
- Right click “Base OU” where you want to audit and hit Properties.
- Click on Security Tab”. (If you don’t see this go back to step #2)
- Click “Advanced” button near the bottom of the Window.
- Click on “Auditing” tab in the new Window.
- Click on “Add..” button
- Select “Authenticated Users” group
- Check off Successful and Failed for the Write all Properties. Make sure that “This object and all descendant objects” is selected.
- Click “Ok”
- Click “Ok”
How to View Active Directory Auditing Logs
Now that you’ve set this up you might be wondering “Where do I go to see all this auditing now? If you did you would have asked a really good question.
To view the Active Directory Auditing logs you need to open “Server Manager” – “Diagnostics” – “Windows Logs” – “Security”
- 4726 Message – This code is for deleting a user account. The user who did it will also be logged.
- 4720 Message – This code is for creating a user account. The user who did it will also be logged.
You might want to try and filter the events based on these messages.