Saturday, 17 August 2013

How to enable Active Directory Change Events

    An Active Directory security event audit is vital in order to prevent security incidents and malpractices.Active Directory itself includes build-in auditing that lets you track the various changes within Directory.The build-in auditing events mainly controlled by the following two policy settings via Group Policy.

     1.Audit account management
     2.Audit directory service access

Audit account management

    The Audit account management events provides the high level auditing of user,computer and group maintenance changes. This policy makes to log the events for the following maintenance related changes.
  • Created and Deleted
  • Enabled and Disabled
  • Password Change
  • Password Reset
  • Locked out
  • Unlocked
  • Rename
  • Members Added
  • Members Removed

Audit directory service access

     The Audit directory service access events provides the low-level auditing for all types of objects in AD. Directory service access events not only logs the information of an object that was accessed and by whom but also logs exactly which object properties were accessed. Since the Audit directory service access policy makes to log the events for changes on every object we must enable auditing on object level and audit policy at the system level.


Enable Audit Policy for AD Change Audit


    To enable Audit Policy settings in every Domain Controller, We need to configure audit settings in Default Domain Controllers Policy, or you can create new GPO and links it to the Domain Controllers OU via GPMC console, or else you can configure the corresponding policies on Local Security Policy of every Domain Controllers which are in the domain that you are going to enable change auditing.

Follow the below steps to enable change auditing via Default Domain Controllers Policy.

    1. Press the key 'Window' + 'R'

    2. Type the command gpmc.msc, and click OK.

         Note: Skip the above steps by clicking Start -->Administrative Tools -->Group Policy Management.

    3. Right-click the Default Domain Controllers Policy, and click Edit. - refer the below image.

How to enable Active Directory Change Events


    4. Navigate to the node Audit Policy (Computer Configuration->Policies->Windows Settings->Security Settings->Local Policies->Audit Policy).

    5. Now edit Audit account management and Audit directory service access as Success to enable active directory change auditing. - refer the below image.

How to enable Active Directory Change Events

    6. Run the command gpupdate /force from command prompt to update group policy settings.


Enable Object Level Security Audit 


    As we discussed earlier about Audit directory server access, Since the Audit directory service access policy makes to log the events for every object change we must enable auditing on object level. You can enable auditing on single object, or OU level, or  Domain level.

Follow the below steps to enable Domain level auditing.

    1. Press the key 'Window' + 'R'

    2. Type the command dsa.msc, and click OK.

        Note: Skip the above steps by clicking Start -->Administrative Tools -->Active Directory Users and Computers.

    3. Right-click the Domain object, and click the properties

    4. Click the Security tab.
  
        Note: If the Security tab is not available, Ensure the option Advanced Features is checked                  under the View menu.

    5. Click the button Advanced, and select the tab Auditing.

    6. Click the button Add, find the user Everyone, and click OK.

    7.  Check the Successful auditing for Write all properties,Delete,Delete Subtree,Modify Permissions,Modify Owner,Create all child objects,Delete all child objects. -refer below image.

       Note: You can configure these settings as per your requirement.

Steps to enable Active Directory Change Events

    8. Click the button OK, and click Apply.

Now we have successfully configured the change auditing for complete Active Directory domain.You can see the Security event logs for whatever the changes happened in every AD objects.

Audit directory service changes


    Besides these two policy settings, we can also fine tune the auditing by Audit directory service changes which is available from  Windows Server 2008 R2 and later versions.The events which are comes under this category includes the extra details like Old Value and New Value of the changed properties.This Advanced Audit Policy comes under the subcategory of  DS Access.

You can enable Advanced Audit Policy setting in the following two ways.

    1. Go to the node DS Access (Computer Configuration->Policies->Windows Settings->Security Settings->Advanced Audit Policy Configuration -> DS Access)

    2. Now edit Audit directory service changes as success as shown in below image.

Steps to enable Active Directory Change Events




You can also enable this Advanced Audit policy setting by using Auditpol.exe.
Run this command in an elevated command prompt:

Auditpol /set /subcategory:"Directory Service Changes" /success:enable




You can refer this article http://www.morgantechspace.com/2013/08/active-directory-change-audit-events.html to know about various Event IDs.

Note : This article is applies to Windows Server 2003, Windows Server 2008,Windows Server 2008 R2 and Windows Server 2012.

Related Articles:

How password policy works in Active Directory
Account Lockout Policy in Active Directory
Logon/Logoff Events in Active Directory
Active Directory Change Event IDs
LastLogon vs LastLogonTimeStamp
How to create Fine Grained Password Policy

Thanks,
Morgan
Software Developer

2 comments:

  1. This comment has been removed by the author.

    ReplyDelete
  2. Hi! really usefull info, nevertheless im having troubles when I check the security events, there´s no event associated to the creation of any account, I´ve been creating and deleting user, under a specific OU and I still haven´t been able to see it on event viewer :(

    ReplyDelete