LepideAuditor Suite
Enabling Auditing Manually
Table of Contents
Enabling auditing in Lepideauditor Suite ... 3
Steps to enable auditing while adding a domain ... 3
Steps to enable auditing while modifying a domain ... 4
Issue ... 5
Solution ... 6
Commands to Enable Auditing ... 7
Commands for Windows Server 2008 or above ... 7
Commands for Windows Server 2003 ... 8
Enabling Auditing using ADSIEdit.msc ... 10
Enabling Auditing in LepideAuditor Suite
Steps to enable auditing while adding a domain
While adding a domain, LepideAuditor Suite gives you an option to enable its auditing.
Figure 1: “Add Domain” wizard
Steps to enable auditing while modifying a domain
In addition, you can click in the Domain Settings to enable the auditing while modifying the domain.
Issue
If LepideAuditor Suite faces any problem in enabling the auditing, it will display the following error message while adding/modifying the domain.
Figure 3: Error message for problem in enabling the auditing
Solution
In case, LepideAuditor Suite displays any error message or doesn’t enable the auditing, then you have to perform the following steps:
1. Enable the following system audit policies: System, Logon/Logoff, Object Access, Privilege Use, Detailed Tracking, Policy Change, Account Management, DS Access, Account Logon
2. Auditing settings of the Active Directory environment could be setup as follows: Auditing Entries for AD Forest Partition for Object Access type Apply onto
All AD objects Domain naming context
everyone Successful This object and all
descendant/Child objects AD configuration
object
Configuration context
everyone Successful This object and all
descendant/Child objects
Commands to Enable Auditing
LepideAuditor Suite will also try to perform the following audit settings automatically. If it doesn’t succeed, then you will have to perform these steps manually.
Start the Command Prompt using Administrator privileges and execute these commands one by one.
Commands for Windows Server 2008 or above
Auditpol /set /category:"System" /success:enable /failure:enable
Auditpol /set /category:"Logon/Logoff" /success:enable /failure:enable
Auditpol /set /category:"Object Access" /success:enable /failure:enable
Auditpol /set /category:"Privilege Use" /success:enable /failure:enable
Auditpol /set /category:"Detailed Tracking" /success:enable
/failure:enable
Auditpol /set /category:"Policy Change" /success:enable /failure:enable
Auditpol /set /category:"Account Management" /success:enable
/failure:enable
Auditpol /set /category:"DS Access" /success:enable /failure:enable
LepideAuditor Suite
Enabling Auditing at A Domain Manually
© Lepide Software Pvt. Ltd.
Page | 8
Commands for Windows Server 2003
auditusr /if Administrator:"System"
auditusr /is Administrator:"System"
auditusr /if Administrator:"Logon/Logoff"
auditusr /is Administrator:"Logon/Logoff"
auditusr /if Administrator:"Object Access"
auditusr /is Administrator:"Object Access"
auditusr /if Administrator:"Privilege Use"
auditusr /is Administrator:"Privilege Use"
auditusr /if Administrator:"Detailed Tracking "
auditusr /is Administrator:" Detailed Tracking"
auditusr /if Administrator:"Policy Change"
auditusr /is Administrator:" Policy Change"
auditusr /if Administrator:"Account Management"
LepideAuditor Suite
Enabling Auditing at A Domain Manually
© Lepide Software Pvt. Ltd.
Page | 9
auditusr /if Administrator:"Directory Service Access"
auditusr /is Administrator:"Directory Service Access"
auditusr /if Administrator:"Account Logon"
Enabling Auditing using ADSIEdit.msc
Perform the following audit settings using the ADSIEdit.msc on any Windows Server.
Visit http://technet.microsoft.com/en-us/library/cc773354(v=ws.10).aspx to know more about installing and using ADSIEdit.msc.
You have to perform the following steps for all Windows Server.
1. Open ADSIEdit.msc using the "Run" dialog box. You can also open it from “Start Menu” “Administrative Tools” “ADSIEdit”.
2. Connect to the Active Directory. Select any node and perform below steps. Repeat these steps for each root node.
3. Right-click on the root “ADSI Edit” and select “Connect to”.
4. It is required to connect to all four available naming contexts and to turn on their auditing.
a. Default Naming Context b. Configuration
c. RootDSE d. Schema
Figure 4: Select the naming context to which you want to connect
LepideAuditor Suite
Enabling Auditing at A Domain Manually
© Lepide Software Pvt. Ltd.
Page | 11
5. Select “Default Naming Context”.
6. Click “OK” to establish the connection. Default Naming Context will be connected and its root node will be displayed in “Left Panel”.
7. Expand the root node to access the domain controller’s node – “DC=www,DC=domain,DC=com”.
8. Again, right click on “ADSIEdit” parent node and select “Connect To”.
9. In “Connection Settings” box, select “Configuration” for naming context and click “OK”.
Figure 5: Connecting to Root Configuration
10. This will connect ADSI Edit to the Domain Configuration and display its root node in the Left Panel.
LepideAuditor Suite
Enabling Auditing at A Domain Manually
© Lepide Software Pvt. Ltd.
Page | 12
13. Select “RootDSE” as naming context in “Connection Settings” and click “OK”.
Figure 6: Connecting to RootDSE
14. This will connect ADSI Edit to the root of Active Directory (RootDSE) and show its root node in the Left Panel.
15. Expand root node of RootDSE to access “RootDSE”.
LepideAuditor Suite
Enabling Auditing at A Domain Manually
© Lepide Software Pvt. Ltd.
Page | 13
Figure 7: Connecting to Schema
18. This will connect ADSI Edit to the Schema and display its root node in the Left Panel. 19. Expand its node to access
“CN=Schema,CN=”Configuration,DC=www,DC=domain,DC=com”.
20. Now, it is required to enable the auditing settings for the following four root nodes of different naming contexts.
a. DC=www,DC=domain,DC=com
b. CN=Configuration,DC=www,DC=domain,DC=com c. RootDSE
LepideAuditor Suite
Enabling Auditing at A Domain Manually
© Lepide Software Pvt. Ltd.
Page | 14
21. The user has to perform the following steps one by one for each of the above nodes. a) Right click on “DC=www,DC=domain,DC=com” under “Default Naming Context”.
LepideAuditor Suite
Enabling Auditing at A Domain Manually
© Lepide Software Pvt. Ltd.
Page | 15
b) Select “Properties” option to access its properties.
LepideAuditor Suite
Enabling Auditing at A Domain Manually
© Lepide Software Pvt. Ltd.
Page | 16
c) Switch to “Security” tab.
LepideAuditor Suite
Enabling Auditing at A Domain Manually
© Lepide Software Pvt. Ltd.
Page | 17
d) Click “Advanced” to access the Advanced Security settings.
LepideAuditor Suite
Enabling Auditing at A Domain Manually
© Lepide Software Pvt. Ltd.
Page | 18
e) Switch to “Auditing” tab in “Advanced Security Settings”.
Figure 12: Auditing tab
f) Click “Add” to add the user for whom you want to enable auditing. This will show the following box:
LepideAuditor Suite
Enabling Auditing at A Domain Manually
© Lepide Software Pvt. Ltd.
Page | 19
g) Type the name of a specific user for which you want to enable the auditing. Instead, you can type “Everyone” to audit the changes in Group Policies for all users.
h) Click “Check Names” to verify the username.
i) Click “OK” to add the user. This will show the Auditing Entry box.
Figure 14: Auditing Entries for www
j) You can click “Full Control” for both successful and failed categories to monitor all events.
k) Now, you have to uncheck the following entries for both “Successful” and “Failed” columns.
LepideAuditor Suite
Enabling Auditing at A Domain Manually
© Lepide Software Pvt. Ltd.
Page | 20
d. Read permissions
Figure 15: Displaying settings to be unchecked
l) Check the box “Apply these auditing entries to objects and/or containers within this container only” to apply the changes to its child objects as well.
m) Click “OK” to apply the auditing entries. This will take you back to “Auditing” tab of Advanced Security Settings.
LepideAuditor Suite
Enabling Auditing at A Domain Manually
© Lepide Software Pvt. Ltd.
Page | 21
22. Repeat the steps (a) to (n) of Step 21 to enable the auditing of remaining root nodes. a. CN=Configuration,DC=www,DC=domain,DC=com
b. RootDSE
c. CN=Schema,CN=Configuration,DC=www,DC=domain,DC=com
23. Close the window of ADSIEdit.msc.
Support
If auditing is still not enabled after following the above manual steps, then you can contact our Support Team.
Helpline
+91-9818725861
1-866-348-7872 (Toll Free for USA/CANADA)
You can also email us about your queries at:
[email protected] for Sales
[email protected] for Support
