A critical part of securing the Active Directory environment is being able to obtain detailed insights on when objects are created.

Below are the steps it takes to generate a report for when objects are created in Active Directory using native processes:

1. Group Policy Audit Settings - Configuration

In the Run window, type the command – gpmc.msc to open the Group Policy Management Console.

2. Editing the Default Domain Policy of the domain

To edit the Group policy of a particular domain, simply select your domain, navigate to the “Default Domain Policy” and right click on it to select the “Edit” option.

3. Defining the Settings for Audit Account Management Policy

In the left panel, navigate to Computer Configuration>Windows Settings>Security Settings > Local Policies > Audit Policy and double-click ‘Audit account management’.

4. Selecting the Security Policy Setting tab

Next, click the Security Policy Setting tab and select Success under the “Audit these attempts” checkbox.

5. Configuration of ADSI

Expand ADSI Edit and the default naming context. Next, right click on the particular domain name and select Properties.

6. Navigating to the Auditing Entry Window for your domain

In the DC properties window, navigate to the security tab and click Advanced. In the Advanced Security Settings, navigate to the Auditing tab and click Add. In the field - Enter the object name, write ‘Everyone’ and in the Auditing Entry, select “Create all child objects” and finally click OK.

7. Filtering the Security Event Log by Event ID 5137

Open Event Viewer, expand Windows Logs and select Security. In the “Filter Security Event Log” window, select the duration, event level and fill up the other necessary details along with Event ID - 5137 to get details on when an object was created.

Generating Details of the Event

To get more information on the event, Double-click on it to open the Event Properties Window.

IT administrators must regularly audit events in user accounts and keep a constant track on the activities of users in order to stay informed about what’s happening in their AD environment. However, native auditing techniques make this quite an arduous and technically difficult process. Therefore, we recommend deploying auditing solutions, like Lepide Active Directory Auditor, that can enhance security by automatically tracking every single object in Active Directory.

How LepideAuditor for Active Directory helps to track when an object is created in Active Directory

Whenever a user creates an object, Lepide Active Directory audit solution provides all details about that particular object and sends through real-time alerts. These alerts are delivered as emails, as updates to LiveFeed widget and as push notifications to the LepideAuditor App (for Android and Apple devices).

Below is a screenshot that displays the Object Created Reports under the “Active Directory Modifications Report” tab of LepideAuditor for Active Directory.

Final Notes

Users can simply click on a particular row and see the details of that object in the “Details” panel located on the right side. It shows each and every minute information pertaining to the object such as Object Path, Object Class along with other details; such as who created the object, when and where from..



Download LepideAuditor for Active Directory

Lepide® is a registered trademark of Lepide Software Private Limited. © Copyright 2018 Lepide Software Private Limited. All trademarks acknowledged.