A.1 Configuring the Security Event Log

You must configure the security event log to ensure that Active Directory events remain in the event log until Change Guardian processes them.

Set the maximum size of the Security Event Log to no less than 10 MB, and set the retention method to Overwrite events as needed.

To configure the security event log:

  1. Log in to a computer in the domain you want to configure using a user account with domain administrator privileges.

  2. Open a command prompt, type gpmc.msc and press Enter to start the Group Policy Management Console.

  3. Expand Forest > Domains > domainName > Domain Controllers.

  4. Right-click Default Domain Controllers Policy, and then click Edit.

    NOTE:Making this change to the default domain controllers policy is important because a GPO linked to the domain controller (DC) organizational unit (OU) with a higher link order can override this configuration when you restart the computer or run gpUpdate again. If your corporate standards do not allow you to modify the default domain controllers policy, create a GPO for your Change Guardian settings, add these settings to the GPO, and set it to have the highest link order in the Domain Controllers OU.

  5. Expand Computer configuration > Policies > Windows Settings > Security Settings.

  6. Select Event Log and configure Maximum security log size to a size of no less than 10240 KB (10 MB).

  7. Configure Retention method for security log to Overwrite events as needed.

  8. Return to the command prompt, type gpUpdate, and then press Enter.

To verify this configuration and ensure Active Directory events are not discarded before processing:

  1. Open a command prompt as an administrator.

  2. At the command line, type eventvwr to start the Event Viewer.

  3. In Windows logs, right-click Security, and select Properties.

  4. Verify the settings reflect a maximum log size of no less than 10240 KB (10 MB), and the selection to Overwrite events as needed.