Skip to content

How to track changes made in Active Directory


Below are the steps you can take to enable auditing of Active Directory modifications using native processes:

1. Configuration of Group Policy Audit Settings

Alt text

Type the command gpmc.msc in order to open the Group Policy Management Console.

2. The Group Policy Management Console

Alt text

Under Group Policy Management, select the forest domain you wish to choose and expand it further to navigate to the Domain Controllers→ Default Domain Controller Policy, right click on it and select Edit to open the configuration window.

3. Advanced Audit Policy Configuration

Alt text Navigate to Computer Configuration> Policies> Windows Settings> Security Settings> Advanced Audit Policy Configuration> Audit Policies in the GPMC Editor.

4. Configuring all the policies

In order to configure all the policies, define the following categories and then configure them one after another:

Account Logon

Account Management

DS Access

Logon/Logoff

Object Access

Policy Change

5. Configuring all policies one by one

Alt text Click on the first policy - Account Logon and configure the audit events of its subcategories one after another.

6. Check both success and failure

Alt text

In the Policy tab of Audit Credential Validation Window, simply check both the options - success and failure to audit the events and click OK.

Follow the step 6 for all other Advanced Audit Policies listed above.

7. Updating the Group Policy

Alt text

This can be done by executing the command: gpupdate /force in the command prompt.

8. Use ADSIEdit.msc to Enable Auditing

Alt text

1). Open ADSI Edit Console and select "Connect to" in order to view the Connection Settings.

2). Next, establish connections with all four available naming contexts to turn on their auditing for:

•   **Default Naming Context**

•   **Configuration**

•   **RootDSE**

•   **Schema**

Then, proceed on to connect to the default naming context. Also, Right click on the node = "ADSIEdit" and select "Connect To".

9. Configuring Connection Settings

Alt text

10. Establishing connection with Root DSE

Alt text

11. Connection Settings for Schema

Alt text

12. Enabling the audit settings for all the four root nodes

Alt text For all the four root nodes of different naming contexts, enable the auditing settings.

13. Managing Auditing Entry for your Domain

Alt text

In the Domain Controller properties, navigate to the security tab and click Advanced. This will open the Advanced Security Settings. Now, quickly navigate to the Auditing tab and click Add to open the Auditing Entry window. In the field “Name”- type “Everyone” and in the “Access” section, check all the boxes except the following four options:

Full Control

List contents

Read all properties

Read permissions

In the ADSI Edit, repeat steps 3 and 4 in order to enable the auditing of the remaining root nodes.

14. Filtering the Security Event Log

Alt text In the Event Viewer, navigate to Windows Logs and select Security. Then, simply click Filter Current Log.

15. Search by Event ID

Alt text

In the “Filter Current Log” window, simply enter the particular Event ID and carry out the search operation.

16. Open Event Properties to see further details.

Alt text

To know more about any particular event, simply double click on it to see further details.

17. Here is a list of other relevant Event IDs

Alt text

For many users, manual auditing can be both time consuming and unreliable, as does not generate instant alerts and reports for Active Directory changes.

It is therefore recommended that you opt for an automated Active Directory auditing solution. One such solution, LepideAuditor for Active Directory, that enables users to pro-actively track, alert and report on changes being made to Active Directory.

1. Windows File Access – CyberQuest

Alt text

2. Windows All logons – CyberQuest

Alt text

3. Windows Audit Policy Changed - CyberQuest

Alt text