How to Enable the Audit of Active Directory Objects in Windows 2008 R2
Windows 2008 R2 has much more and better features than its predecessors. It also wins in the native auditing part when it comes to audit the Active Directory objects. With granular control, you can easily figure out almost every change in the IT infrastructure. This also helps you to identify who ve made what change, when, and from where; but needs more in-depth investigations. In this article, we ll discuss the steps involved in enabling the audit of Active Directory Objects in Windows 2008 R2. How to Enable Global Audit Policy Follow below steps to enable the Global Audit Policy in Windows Server 2008 R2, 1. Go to Start > Administrative Tools > Group Policy Management. This will open the following window. Figure: Group Policy Management 2. In the Left Hand Panel, expand Domains > (your domain) > Domain Controllers and then click Default Domain Controllers Policy as show below. Figure: Browsing Default Domain Controllers Policy Node
3 Selecting this will display a warning message that making any changes in this policy will be global to the GPO and affect other locations. Figure: Global Policy Modification Warning 3. Read the warning and click OK button to proceed. 4. You can also check the box titled Do not show this message again, if you want. 5. Now, do a right click on the Default Domain Controllers Policy and select Edit to display the following window. Figure: Group Policy Management Editor
7. You ve to browse through Computer Configurations > Policies > Windows Settings > Security Settings > Local Policies > Audit Policy, to access the auditing policies as show herein below. Figure: Audit Policy 8. Here, you can access the following audit policies. i) Audit account logon events ii) Audit account management iii) Audit directory service access iv) Audit logon events v) Audit object access vi) Audit policy change vii) Audit privilege use viii) Audit process tracking ix) Audit system events 9. Double click Audit directory service access to display the following dialog box.
Figure: Properties of the Audit directory service access policy 10. Check Define these policy settings and then check both Success and Failure attempts. 11. Click Apply and OK button to enable the Audit directory service access auditing. 12. (Optional) In the similar way, you can enable the auditing of other available policies.
Enabling the Advanced Audit Policies 1. In the same Group Policy Management Editor, go to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration. This contains a node titled Audit Policies, which contains the auditing policies subcategories. Figure: Advanced Audit Policy Configuration node 2. Expand the node Audit Polices to access the nodes, which are the categories of events in fact. Each category contains the advanced polices, which has to be enabled one-by-one. The categories are listed herein below: - a. Account Logon b. Account Management c. Detailed Tracking d. DS Access e. Logon/Logoff f. Object Access g. Policy Change h. Privilege Use i. System j. Global Object Access Auditing
3. All of the sub-categories inside above categories have to be enabled. Let us assume an example to enable a policy Audit Detailed File Share in the Object Access category. You ve to follow the similar steps to enable all other policies in each category one-by-one. a. Select the node Object Access Figure: Object Access node in Advanced Audit Policy Configuration b. Now, double click Audit Detailed File Share policy in the Right Hand Panel to access its Properties. Figure: Audit Detailed File Share Properties
c. Check the box titled Configure the following audit events. d. Select both the Success and Failure events. e. Click Apply and OK buttons respectively to enable this auditing. Enabling the Auditing of Objects 1. Go to the Start Menu > All Programs > Administrative Tools >Active Directory Users and Computers to access the following window. Figure: Active Directory Users and Computers 2. Go to the (your domain) > Domain Controllers and right click on the organizational unit. 3. Select Properties to display the following dialog box. Figure: OU Properties 4. Go to the Security tab.
Figure: Security Tab 5. Click Advanced button on the bottom to access the following dialog box. Figure: Advanced Security Settings
6. Switch to the Auditing tab. Figure: Auditing Tab 7. In this tab, you can select the users, on which the auditing has to be enabled, and select their events to be audited. By default, auditing for Success events is enabled on Everyone. 8. If you want to specify the auditing for a particular user, then click on Add button to display the following dialog box for adding that user. Figure: Dialog box to add a user 9. Enter the name of the user in the large textbox at the bottom and click Check Names to let the system to identify the correct name of the entered user. 10. Click OK to proceed further with the following dialog box.
Figure: Auditing Entry dialog box 11. It is suggested to select Successful and Failed for all the listed accesses. 12. Click on Apply these auditing entries to objects and/or containers within this container only to enable the auditing of all the objects/containers in the selected container. 13. Click OK button to enable the auditing. This will take you back to the same Auditing tab of Advanced Security Settings. 14. If you want to edit the auditing settings for a particular user, then select it and click Edit button. This will display the same Audit Entry dialog box and you can follow the above steps to enable the modified auditing for an existing user. 15. To reset the modified auditing settings, you can click Restore Defaults button. 16. Click Apply and OK button to apply the auditing settings. This will take you back to the Properties dialog box of the OU. 17. Click on OK button.
Performing the Audit After enabling the Active Directory auditing, all the events for the changes in Active Directory and in the selected Organizational Unit will be recorded. You can use the traditional Event Viewer to browse the events and to conduct the auditing. Third Party Tool If you face hardships to enable the auditing with too many steps and then to deal with the logged events containing difficult-to-read information, then it is advised to make of trusted third party tools for Active Directory auditing. We offer a better option than others do for this purpose. We re talking about LepideAuditor for Active Directory (LAAD). This next-gen tool has awesome features like in-depth tracking of the changes in state and values of objects, power to reinstate the states of the objects to the working states in case of any emergency, and to create long audit trails for any change. With a centralized solution to monitor all the domains at a common platform and longterm storage of logs, it lets you clearly identify the before- and after- values of each change. Conclusion You can follow the above-mentioned steps to enable the native auditing of Active Directory objects in any domain. Afterwards, you can use Event Viewer to see all the logged events for any change in the AD environment. If you face any kind of difficulty with the native auditing, then you can go for LepideAuditor for Active Directory a paid tool with extraordinary features.