A.2 Configuring Active Directory Auditing

This configuration enables auditing of Active Directory events. The events are logged into the security event log.

The Default Domain Controllers Policy GPO should be configured with Audit Directory Service Access set to monitor both Success and Failure events.

To verify or set this configuration manually in Windows Server 2008 R2:

  1. Open a command prompt as an administrator.

  2. At the command line, type gpmc.msc and press Enter to start the Group Policy Management Console.

  3. In the forest, click Domains, and then select the domain to configure.

  4. In the domain to configure, click Group Policy Objects.

  5. Right-click Default Domain Controllers Policy, and then click Edit.

  6. Expand Computer configuration > Policies > Windows Settings and Security Settings.

  7. In Security Settings, expand Advanced Audit Policy Configuration.

  8. Click DS Access.

  9. Click Audit Directory Service Access.

  10. Verify the following selections:

    • Configure the following audit events

    • Success

    • Failure

  11. Click OK to return to the command prompt.

  12. Type gpUpdate to apply changes.

Instead of configuring Audit Directory Service Access, you can configure the subcategories Audit Directory Service Changes, and Audit Directory Service Replication. However the Windows server detects events related to Audit Directory Service Access before it detects events for the other subcategories.

A GPO linked to the DC’s OU with a higher link order overrides this configuration when you start the computer, or run gpUpdate.

To verify or set this configuration manually in Windows Server 2003 and Windows Server 2008:

  1. Open a command prompt as an administrator.

  2. At the command line, type gpmc.msc to start the Group Policy Management Console.

  3. In the forest, click Domains, and then select the domain to configure.

  4. In the domain to configure, click Group Policy Objects.

  5. Right-click Default Domain Controllers Policy, and then click Edit.

  6. Expand Computer configuration > Policies > Windows Settings and Security Settings.

  7. In Security Settings, expand Local Policies, and then select Audit Policy.

  8. Click Audit Directory Service Access.

  9. Verify the following selections:

    • Define these policy settings

    • Success

    • Failure

NOTE:A GPO linked to the DC’s OU with a higher link order overrides this configuration when you start the computer, or run gpUpdate.

To log on to the agent computer as an administrator to verify or set this configuration manually in Windows Server 2008 and 2008 R2:

  1. Open a command prompt as an administrator.

  2. On the command line, type auditpol /get /subcategory:{0cce923b-69ae-11d9-bed3-505054503030}.

NOTE:Any GPO configuration will override the auditpol configuration when you start the computer, or when you run gpUpdate.