How to Enable Auditing in Active Directory Environment

How to Enable Auditing in Active Directory Environment

In this blog post, I’ll show you how to Enable Auditing in Active Directory environment and capture many login Information and access events.

By default, AD Auditing Is not enabled and out of the box AD offers a limited set of events that are logged In the Event Viewer.

Once auditing Is enabled, all logs and events will be available on the Event Viewer Security Logs console located on each domain controller the user or computer Is authenticated against.

Active Directory History

Active Directory (AD) is a directory service that Microsoft developed for Windows domain networks.

It is included in most Windows Server operating systems as a set of processes and services.

Initially, Active Directory was only in charge of centralized domain management.

Starting with Windows Server 2008, however, Active Directory became an umbrella title for a broad range of directory-based identity-related services.

A server running Active Directory Domain Services (AD DS) is called a domain controller. It authenticates and authorizes all users and computers in a Windows domain.

Active Directory auditing will log any Directory Service Changes events like Create, Modify and Delete that are performed on an AD object and will write it to the security log.

Once the log is written to the security log the entry will Include the SAMACCOUNTNAME of the modified object the user modified it.

Get Started

To enable auditing, open Group Policy Management console and create or edit an existing policy.

In the policy go to Computer Configuration -> Windows Settings -> Security Settings -> Local Polices -> audit Policy

As you can see below, Microsoft offers auditing for any possible event under the sun.

Group policy Management Editor
Group policy Management Editor

Audit account logon events

This policy will capture Account logon events that are generated whenever a computer validates the credentials of an account for which it is authoritative.

How to Enable Auditing in Active Directory Environment
How to Enable Auditing in Active Directory Environment

Audit privilege use

This security setting determines whether to audit each instance of a user exercising a user right.

How to Enable Auditing in Active Directory Environment
How to Enable Auditing in Active Directory Environment

Audit directory service access

This security setting determines whether the OS audits user attempts to access Active Directory objects.

How to Enable Auditing in Active Directory Environment
How to Enable Auditing in Active Directory Environment

As shown above, the options are unlimited and we have the option to audit many events and actions.




Search blogs




Bitnami