How to Configure the Monitoring of Active Directory Objects in Windows Server 2012
Authored by: Support.com Tech Pro Team
1. Introduction
How to Configure the Monitoring of AD Objects in Windows Server 2012
2. Step 1 – Enable Global Audit Policy
Go to Start → Administrative Tools → Group Policy Management. The following window appears on the screen.
In the left Panel, go to ‘Domains’ node → www.domain.com → Domain Controllers to see ‘Default Domain Controllers Policy’ as shown in the following image.
When you click on this policy, it displays a warning message that making anychanges in this policy will be global to the GPO and affect other locations where this GPO is linked.
You can select the ‘Do not show this message again’ checkbox, if you want. Click ‘OK’ to proceed after reading the warning button.
Next, right-click on the ‘Default Domain Controllers Policy’, and select ‘Edit’ from the context menu to display the ‘Group Policy Management Editor’ window
Go to Computer Configuration → Policies → Windows Settings → Security Settings → Local Policies → Audit Policy to access the auditing policies as shown below.
Double click ‘Audit directory service access’ to display the following dialog box.
Check ‘Define these policy settings’ and then select both ‘Success’ and ‘Failure’ checkboxes.
Click ‘Apply’ and ‘OK’ to enable the ‘Audit directory service access’ auditing.
Similarly, you can enable the other available policies’ auditing as well.
3. Step 2 – Enable the Advanced Audit Policies
In the same Group Policy Management Editor, go to Computer Configuration → Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration. Click ‘Audit Policies’ to list all of its group policies.
Expand the ‘Audit Polices’ node to access the audit policies, which represent event categories. Each category contains advanced policies, which have to be enabled one by one.
For example, let us assume that you want to enable ‘Audit Detailed File Share’ in the ‘Object Access’ category.
You have to follow similar steps to enable all other policies in each category one by one.
Select the ‘Object Access’ node.
Now, double-click the ‘Audit Detailed File Share’ policy in the right pane to access its properties.
Select the ‘Configure the following audit events’ checkbox.
Select both ‘Success’ and ‘Failure’ events.
Click ‘Apply’ and ‘OK’ to enable this audit policy.
4. Step 3 – Enable the Auditing of Objects
Go Start Menu → All Programs → Administrative Tools → Active Directory Users and Computers. The following window appears on the screen.
Right click on the organizational unit on which you want to enable the auditing. You can also enable the auditing directly on ‘www.domain.com’ root node, ‘Domain Controllers’ node, any computer.
Select ‘Properties’ from the context menu to access the following window.
Go to ‘Security’ tab
Click ‘Advanced’ button to open ‘Advanced Security Settings’, and switch to the ‘Auditing’ tab in the following window.
Here, select the users and events to audit.
To configure auditing for a particular user or everyone, click ‘Add’ that shows the following window.
Click on ‘Select a principal’ link to open the following window.
Enter the name of the user or ‘Everyone’, and then click on ‘Check Names’ to verify it.
Click ‘OK’. It takes you back to ‘Auditing Entry’ window.
In the ‘Type’ field, select ‘All’ to include both ‘Success’ and ‘Fail’.
Select ‘This object and all descendant object’ in ‘Applies to’ field.
In ‘Permissions’, select ‘Full Control’ to select all permissions, or select only required permissions.
Click ‘OK’ to close the window.
If you want to edit the auditing settings for a user, select it and click ‘Edit’. Doing this will show the same ‘Audit Entry for <OU name>’ dialog box where you can edit the settings.
Click ‘Apply’ and ‘OK’ to go back to ‘Properties’ dialog box.
Click ‘OK’ to close the ‘Properties’ window.
5. Step 4 – View the Events
To view the events, use ‘Event Viewer’. The following window shows a network object created event in the ‘Event Viewer’.