Auditing Active Directory

  • Article

CRM-AD Issues: Auditing Active Directory

 

There are multiple instances where while troubleshooting/isolating CRM issues, you end up checking details from AD side. In that case you can refer to below article which pretty much explains how to enable audit in AD to track activities.

In Windows Server 2008, you can now set up AD DS (Active Directory Domain Services) auditing with a new audit policy subcategory (Directory Service Changes) to log old and new values when changes are made to AD DS objects and their attributes. This can be done using auditpol.exe tool.

Here is a quick command to check which audit policies are currently active:

auditpol /get /category:*

Command to view the audit policy categories and Subcategories:

 

 

How to enable the global audit policy using the Windows interface i.e. gpmc tool

  • Click Start, point to Administrative Tools, and then Group Policy Management or run gpmc.msc command

  • In the console tree, double-click the name of the forest, double-click Domains, double-click the name of your domain, double-click Domain Controllers, right-click Default Domain Controllers Policy, and then click Edit.

  • Under Computer Configuration, double-click Policies, double-click Windows Settings, double-click Security Settings, double-click Local Policies, and then click Audit Policy.

  • In the details pane, right-click Audit directory service access, and then click Properties.

  • Select the Define these policy settings check box.

  • Under Audit these attempts, select the Success, check box, and then click OK.

How to enable the change auditing policy using a command line

  • Click Start, right-click Command Prompt, and then click Run as administrator.
  • Type the following command, and then press ENTER:
  • auditpol /set /subcategory:"directory service changes" /success:enable

To verify if the auditing is enabled or not for "Directory Service Changes", you can run below command:

Auditpol /get /category:"DS Access"

 

How to set up auditing in object SACLs

  • Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.

  • Right-click the organizational unit (OU) (or any object) for which you want to enable auditing, and then click Properties.

  • Click the Security tab, click Advanced, and then click the Auditing tab.

  • Click Add, and under Enter the object name to select, type Authenticated Users (or any other security principal), and then click OK.

  • In Apply onto, click Descendant User objects (or any other objects).

  • Under Access, select the Successful check box for write all properties.

  • Click OK until you exit the property sheet for the OU or other object.

To Test whether auditing is working or not, try creating or modifying objects in Finance OU and check the Security event logs.

I just created a new user account in Finance OU named f4.

If you check the security event logs you will find eventid 5137 (Create)

Note:
Once the auditing is enabled these eventids will appear in security event logs: 5136 (Modify), 5137 (Create), 5138 (Undelete), 5139 (Move).

To know more about AD DS Auditing read technet article:
AD DS Auditing Step-by-Step Guide

https://technet.microsoft.com/en-us/library/cc731607(v=ws.10).aspx

Comments

  • Anonymous
    August 21, 2014
    Thanks for sharing such this valuable information. Though, Due to hectic schedule in my work-station, I use Lepide Auditor for active directory i.e., ( www.lepide.com/.../active-directory.html ) to audit the changes made in my active directory environment. This tool is an appropriate solution for auditing all the critical changes at granular level and provide the report with real time monitoring. However, this well described article looks a good start-up in my future reference while need to monitor AD environment.

  • Anonymous
    August 22, 2014
    Hi Carlton, thanks for sharing your experience and tool details that you have been using for AD audit. I will test this tool in my test lab.. cheers !

  • Anonymous
    March 13, 2015
    Hi Habibar, Thanks for this article, it is very important to audit AD, mainly when you have more than one administrator or privileged users. It's much helpful and easy to apply. Congrats! Cheers!