Active Directory Auditing is very important for large organisations where there’s a high number of technical resources, from different teams, accessing and modifying Active Directory. Active Directory Auditing comes with a cost though: an enormous amount of logs created.
Having so many logs will mean that you won’t be able to troubleshoot much as what you’re looking for might be long gone. If you work in a smaller company, then manually sorting these logs shouldn’t be a big deal, but again, remember that a Domain Controller in general does generate a lot of events. I would suggest to integrate Active Directory Auditing with something like System Center Operations Manager (SCOM) to help you out catching what you’re interested on.
This article wants to show you how to enable Active Directory Auditing. Remember also that you will have to enable it for each single (writable) Domain Controller that you have. This is very important or else you will only be able to track changes happening on a single domain controller (unless that is what you intend to do). What could be used to achieve this quickly and with the least effort as possible? Group Policies obviously!
Domain Controllers are stored in the same OU by default, and they also have a Default Domain Controllers Policy.
If you’re reading this, it means that you probably already know what Policy you want to enable, so I will go straight to the point. Auditing data will be stored in the Security logs.
- Open Group Policy Management (from Administrative Tools).
- Keep expanding until you reach the Domain Controllers OU.
- Right click on Default Domain Controllers Policy and click Edit.
- Once the Editor has started, expand Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Audit Policy.
- Now you can see the list of audits that you can turn on/off. You can either define to log just the success or just the Failures or both.