How to Enable the Audit of Active Directory Objects in Windows 2008 R2 Lepide Software

(1)

How to Enable the Audit of Active

Directory Objects in Windows 2008 R2

B 57, Sector 57 Noida, U.P.

India 201301 Phone: +91 (120) 4282353

Fax: +91 (120) 4282354 www.lepide.com

Lepide Software

(2)

India 201301 Phone: +91 (120) 4282353

Lepide Software

Windows 2008 R2 has much more and better features than its predecessors. It

also wins in the native auditing part when it comes to audit the Active Directory

objects. With granular control, you can easily figure out almost every change in

the IT infrastructure. This also helps you to identify who’ve made what change,

when, and from where; but needs more in-depth investigations. In this article,

we’ll discuss the steps involved in enabling the audit of Active Directory Objects

in Windows 2008 R2.

How to Enable Global Audit Policy

Follow below steps to enable the Global Audit Policy in Windows Server 2008

R2,

1. Go to Start > Administrative Tools > Group Policy Management. This will

open the following window.

Figure: Group Policy Management

2.

In the Left Hand Panel, expand Domains > (your domain) > Domain

Controllers and then click “Default Domain Controllers Policy” as show

below.

(3)

India 201301 Phone: +91 (120) 4282353

Lepide Software

3 Selecting this will display a warning message that making any changes in this policy will be global to the GPO and affect other locations.

Figure: Global Policy Modification Warning

3. Read the warning and click “OK” button to proceed.

4. You can also check the box titled “Do not show this message again”, if you want.

5. Now, do a right click on the “Default Domain Controllers Policy” and select Edit to display the following window.

(4)

India 201301 Phone: +91 (120) 4282353

Lepide Software

7. You’ve to browse through Computer Configurations > Policies > Windows Settings > Security Settings > Local Policies > Audit Policy, to access the auditing policies as show herein below.

Figure: Audit Policy

8. Here, you can access the following audit policies. i) Audit account logon events

ii) Audit account management iii) Audit directory service access iv) Audit logon events

v) Audit object access vi) Audit policy change vii) Audit privilege use viii) Audit process tracking ix) Audit system events

9. Double click “Audit directory service access” to display the following dialog box.

(5)

India 201301 Phone: +91 (120) 4282353

Lepide Software

Figure: Properties of the “Audit directory service access” policy

10. Check “Define these policy settings” and then check both “Success” and “Failure” attempts.

11. Click “Apply” and “OK” button to enable the “Audit directory service access” auditing.

12. (Optional) In the similar way, you can enable the auditing of other available

(6)

India 201301 Phone: +91 (120) 4282353

Lepide Software

Enabling the Advanced Audit Policies

1. In the same Group Policy Management Editor, go to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration. This contains a node titled “Audit Policies”, which contains the auditing policies’ subcategories.

Figure: Advanced Audit Policy Configuration node

2. Expand the node “Audit Polices” to access the nodes, which are the categories of events in fact. Each category contains the advanced polices, which has to be enabled one-by-one. The categories are listed herein below: -

a. Account Logon b. Account Management c. Detailed Tracking d. DS Access e. Logon/Logoff f. Object Access g. Policy Change h. Privilege Use i. System

(7)

3. All of the sub-categories inside above categories have to be enabled. Let us assume an example to enable a policy “Audit Detailed File Share” in the “Object Access” category. You’ve to follow the similar steps to enable all other policies in each category one-by-one.

a. Select the node “Object Access”

Figure: Object Access node in Advanced Audit Policy Configuration

b. Now, double click “Audit Detailed File Share” policy in the Right Hand Panel to access its Properties.

Figure: Audit Detailed File Share Properties

India 201301 Phone: +91 (120) 4282353

Lepide Software

(8)

c. Check the box titled “Configure the following audit events”. d. Select both the “Success” and “Failure” events.

e. Click “Apply” and “OK” buttons respectively to enable this auditing. Enabling the Auditing of Objects

1. Go to the Start Menu > All Programs > Administrative Tools >Active Directory Users and Computers to access the following window.

Figure: Active Directory Users and Computers

2. Go to the (your domain) > Domain Controllers and right click on the organizational unit.

3. Select “Properties” to display the following dialog box.

Figure: OU Properties

4. Go to the “Security” tab. B 57, Sector 57

Noida, U.P. India 201301 Phone: +91 (120) 4282353

Lepide Software

(9)

India 201301 Phone: +91 (120) 4282353

Lepide Software

Figure: Security Tab

5. Click “Advanced” button on the bottom to access the following dialog box.

(10)

India 201301 Phone: +91 (120) 4282353

Lepide Software

6. Switch to the “Auditing” tab.

Figure: Auditing Tab

7. In this tab, you can select the users, on which the auditing has to be enabled, and select their events to be audited. By default, auditing for “Success” events is enabled on “Everyone”.

8. If you want to specify the auditing for a particular user, then click on “Add” button to display the following dialog box for adding that user.

Figure: Dialog box to add a user

9. Enter the name of the user in the large textbox at the bottom and click “Check Names” to let the system to identify the correct name of the entered user. 10. Click “OK” to proceed further with the following dialog box.

(11)

India 201301 Phone: +91 (120) 4282353

Lepide Software

Figure: Auditing Entry dialog box

11. It is suggested to select “Successful” and “Failed” for all the listed accesses. 12. Click on “Apply these auditing entries to objects and/or containers within this

container only” to enable the auditing of all the objects/containers in the selected container.

13. Click “OK” button to enable the auditing. This will take you back to the same “Auditing” tab of Advanced Security Settings.

14. If you want to edit the auditing settings for a particular user, then select it and click “Edit” button. This will display the same “Audit Entry” dialog box and you can follow the above steps to enable the modified auditing for an existing user. 15. To reset the modified auditing settings, you can click “Restore Defaults” button. 16. Click “Apply” and “OK” button to apply the auditing settings. This will take you

back to the Properties dialog box of the OU. 17. Click on “OK” button”.

(12)

India 201301 Phone: +91 (120) 4282353

Lepide Software

Performing the Audit

After enabling the Active Directory auditing, all the events for the changes in Active Directory and in the selected Organizational Unit will be recorded. You can use the traditional Event Viewer to browse the events and to conduct the auditing.

Third Party Tool

If you face hardships to enable the auditing with too many steps and then to deal with the logged events containing difficult-to-read information, then it is advised to make of trusted third party tools for Active Directory auditing. We offer a better option than others do for this purpose. We’re talking about LepideAuditor for Active Directory

(LAAD). This next-gen tool has awesome features like in-depth tracking of the changes in state and values of objects, power to reinstate the states of the objects to the working states in case of any emergency, and to create long audit trails for any change. With a centralized solution to monitor all the domains at a common platform and long-term storage of logs, it lets you clearly identify the before- and after- values of each change.

Conclusion

You can follow the above-mentioned steps to enable the native auditing of Active Directory objects in any domain. Afterwards, you can use Event Viewer to see all the logged events for any change in the AD environment. If you face any kind of difficulty with the native auditing, then you can go for LepideAuditor for Active Directory – a paid tool with extraordinary features.