Windows Server 2012 is far superior to its predecessors. The native auditing part of the program has improved than that of the previous versions. For auditing, it gives more granular control and lets you audit Active Directory more efficiently. Users get an in-depth view of the changes for answering the “who, what, when and where” questions of change auditing. In this article, we will discuss how to enable audit of Active Directory objects in Windows Server 2012.
Enable Global Audit Policy
- Go to Start → Administrative Tools → Group Policy Management. The following window appears on the screen.
- In the left Panel, go to ‘Domains’ node → www.domain.com → Domain Controllers to see ‘Default Domain Controllers Policy’ as shown in the following image.
- When you click on this policy, it displays a warning message that making anychanges in this policy will be global to the GPO and affect other locations where this GPO is linked.
- Next, right click on the ‘Default Domain Controllers Policy’, and select ‘Edit’ from the context menu to display the ‘Group Policy Management Editor’ window
- Go to Computer Configuration → Policies → Windows Settings → Security Settings → Local Policies → Audit Policy to access the auditing policies as shown below.
- Double click ‘Audit directory service access’ to display the following dialog box.
- Check ‘Define these policy settings’ and then select both ‘Success’ and ‘Failure’ checkboxes.
- Click ‘Apply’ and ‘OK’ to enable the ‘Audit directory service access’ auditing.
- Similarly, you can enable the other available policies’ auditing as well.
Enable the Advanced Audit Policies
- In the same Group Policy Management Editor, go to Computer Configuration → Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration. Click ‘Audit Policies’ to list all of its group policies.
- Expand the ‘Audit Polices’ node to access the audit policies, which represent event categories. Each category contains the advanced policies, which has to be enabled one-by-one.
- For example, let us assume that you want to enable ‘Audit Detailed File Share’ in the ‘Object Access’ category. NOTE: You have to follow the similar steps to enable all other policies in each category one-byone.
- Select ‘Object Access’ node.
- Now, double click ‘Audit Detailed File Share’ policy in the right pane to access its properties.
- Select ‘Configure the following audit events’ checkbox.
- Select both ‘Success’ and ‘Failure’ events.
- Click ‘Apply’ and ‘OK’ to enable this audit policy.
Enable the Auditing of Objects
Go Start Menu → All Programs → Administrative Tools → Active Directory Users and Computers. The following window appears on the screen.
- Right click on the organizational unit on which you want to enable the auditing. You can also enable the auditing directly on ‘www.domain.com’ root node, ‘Domain Controllers’ node, any computer.
- Select ‘Properties’ from the context menu to access the following window.
- Go to ‘Security’ tab
- Click ‘Advanced’ button to open ‘Advanced Security Settings’, and switch to the ‘Auditing’ tab in the following window.
- Here, select the users and events to audit.
- To configure auditing for a particular user or everyone, click ‘Add’ that shows the following window.
- Click on ‘Select a principal’ link to open the following window.
- Enter the name of the user or ‘Everyone’, and then click on ‘Check Names’ to verify it.
- Click ‘OK’. It takes you back to ‘Auditing Entry’ window.
- In the ‘Type’ field, select ‘All’ to include both ‘Success’ and ‘Fail’.
- Select ‘This object and all descendant object’ in ‘Applies to’ field.
- In ‘Permissions’, select ‘Full Control’ to select all permissions, or select only required permissions.
- Click ‘OK’ to close the window.
- If you want to edit the auditing settings for a user, select it and click ‘Edit’. Doing this will show the same ‘Audit Entry for <OU name>’ dialog box where you can edit the settings.
- Click ‘Apply’ and ‘OK’ to go back to ‘Properties’ dialog box.
- Click ‘OK’ to close the ‘Properties’ window.
View the Events
To view the events, use ‘Event Viewer’. The following window shows a network object created event in the ‘Event Viewer’.
LepideAuditor to Audit Active Directory Objects Modifications
Though, Windows Server 2012 gives far superior auditing experience than its predecessors, the real world situation can be sometimes more demanding and requires specialized software to deal with the auditing and compliance requirements. LepideAuditor is a widely deployed Active Directory objects auditing solution. The following image shows an Active Directory object created report in LepideAuditor.
This article covers the step-by-step process to enable the native Active Directory objects auditing. It also shows, how you can use Event Viewer to see all the logged events for any change in the Active Directory environment. I have also suggested a better option: LepideAuditor – a widely deployed tool with extraordinary features for a successful auditing.