Windows Server 2012 is far superior to its predecessors. The native auditing part of the program has improved than that of the previous versions. For auditing, it gives more granular control and lets you audit Active Directory more efficiently. Users get an in-depth view of the changes for answering the “who, what, when and where” questions of change auditing. In this article, we will discuss how to enable audit of Active Directory objects in Windows Server 2012.

Enable Global Audit Policy

1. Go to “Start” ➔ “Administrative Tools” ➔ “Group Policy Management”. The following window appears on the screen.

Figure 1: Group Policy Management

2. In the left Panel, go to “Domains” node ➔ “www.domain.com” ➔ “Domain Controllers” to see “Default Domain Controllers Policy” as shown in the following image.

Figure 2: Go to Default Domain Controller Policy

3. When you click on this policy, it displays a warning message that making any changes in this policy will be global to the GPO and affect other locations where this GPO is linked.

Figure 3: Global Policy Modification warning

You can select the “Do not show this message again” checkbox, if you want. Click “OK” to proceed after reading the warning button.

4. Next, right click on the “Default Domain Controllers Policy”, and select “Edit” from the context menu to display the “Group Policy Management Editor” window

Figure 4: Group Policy Management Editor

5. Go to “Computer Configuration” ➔ “Policies” ➔ “Windows Settings” ➔ “Security Settings” ➔ “Local Policies” ➔ “Audit Policy” to access the auditing policies as shown below.

Figure 5: Audit Policies

6. Double click “Audit directory service access” to display the following dialog box.

7. Check “Define these policy settings” and then select both “Success” and “Failure” checkboxes.

8. Click “Apply” and “OK” to enable the “Audit directory service access” auditing.

9. Similarly, you can enable the other available policies’ auditing as well.

Figure 6: Properties of the “Audit directory service access” policy
Enable the Advanced Audit Policies

1. In the same Group Policy Management Editor, go to “Computer Configuration” ➔ “Policies” ➔ “Windows Settings” ➔ “Security Settings” ➔ “Advanced Audit Policy Configuration”. Click “Audit Policies” to list all of its group policies.

Figure 7: Advanced Audit Policy Configuration node

2. Expand the “Audit Polices” node to access the audit policies, which represent event categories. Each category contains the advanced policies, which has to be enabled one-by-one.

Figure 8: Object Access node in Advanced Audit Policy Configuration

3. For example, let us assume that you want to enable “Audit Detailed File Share” in the “Object Access” category.
(NOTE: You have to follow the similar steps to enable all other policies in each category one-byone.)

a. Select “Object Access” node.

b. Now, double click “Audit Detailed File Share” policy in the right pane to access its properties.

Figure 9: Audit Detailed File Share Properties

c. Select “Configure the following audit events” checkbox.

d. Select both “Success” and “Failure” events.

e. Click “Apply” and “OK” to enable this audit policy.

Enable the auditing of objects

1. Go “Start Menu” ➔ “All Programs” ➔ “Administrative Tools” ➔ “Active Directory Users and Computers”. The following window appears on the screen.

Figure 10: Figure: Active Directory Users and Computers

2. Right click on the organizational unit on which you want to enable the auditing. You can also enable the auditing directly on “www.domain.com” root node, “Domain Controllers” node, any computer.

3. Select “Properties” from the context menu to access the following window.

Figure 11: OU Properties

4. Go to “Security” tab

Figure 12: Security tab

5. Click “Advanced” button to open “Advanced Security Settings”, and switch to the “Auditing” tab in the following window.

Figure 13: Auditing tab

6. Here, select the users and events to audit.

7. To configure auditing for a particular user or everyone, click “Add” that shows the following window.

Figure 14: Auditing entry for new OU

8. Click on “Select a principal” link to open the following window.

Figure 15: Select the user

9. Enter the name of the user or “Everyone”, and then click on “Check Names” to verify it.

10. Click “OK”. It takes you back to “Auditing Entry” window.

11. In the “Type” field, select “All” to include both “Success” and “Fail”.

12. Select “This object and all descendant object” in “Applies to” field.

13. In “Permissions”, select “Full Control” to select all permissions, or select only required permissions.

14. Click “OK” to close the window.

15. If you want to edit the auditing settings for a user, select it and click “Edit”. Doing this will show the same “Audit Entry for <OU name>” dialog box where you can edit the settings.

16. Click “Apply” and “OK” to go back to “Properties” dialog box.

17. Click “OK” to close the “Properties” window.

View the Events

To view the events, use “Event Viewer”. The following window shows a network object created event in the “Event Viewer”.

Figure 16: Share object created event in the Event Viewer

LepideAuditor to audit Active Directory objects modifications

Though, Windows Server 2012 gives far superior auditing experience than its predecessors, the real world situation can be sometimes more demanding and requires specialized software to deal with the auditing and compliance requirements. LepideAuditor is a widely deployed Active Directory objects auditing solution. The following image shows an Active Directory object created report in LepideAuditor.

Figure 17: LepideAuditor object created report

Conclusion

This article covers the step-by-step process to enable the native Active Directory objects auditing. It also shows, how you can use Event Viewer to see all the logged events for any change in the Active Directory environment. I have also suggested a better option: LepideAuditor – a widely deployed tool with extraordinary features for a successful auditing.



Download LepideAuditor for Active Directory

Lepide® is a registered trademark of Lepide Software Private Limited. © Copyright 2018 Lepide Software Private Limited. All trademarks acknowledged.