How to configure granular audit policies for Active Directory Auditing?

Active Directory
6.5 and older
7.0-8.5
9.0-9.7
9.8
https://kb.netwrix.com/679
Copy Article URL Copied

How to configure granular audit policies for auditing an Active Directory domain with Netwrix Auditor.


To configure granular audit policies, perform the following steps:

1. Navigate to Start –> Administrative Tools –> Group Policy Management Console:
2. Expand the Forest: <forest_name> –> Domains –> DomainName –> Group Policy Objects –> Default Domain Controllers Policy node, right-click it and select Edit:
User-added image

3. In the Group Policy Management Editor, navigate to Computer Configuration –> Policies –> Windows Settings –> Security Settings –> Advanced Audit Policy Configuration –> Audit Policies –> Account Management:
Set the following policies to “Success” on all domain controllers:

  • Audit Computer Account Management
  • Audit Distribution Group Management
  • Audit Security Group Management
  • Audit User Account Management
User-added image

4. Navigate to Computer Configuration –> Policies –> Windows Settings –> Security Settings –> Advanced Audit Policy Configuration –> Audit Policies –> DS Access:
Set the Audit Directory Service Access policy to “Success” on all domain controllers.

User-added image

5. Navigate to Computer Configuration –> Policies –> Windows Settings –> Security Settings –> Advanced Audit Policy Configuration –> Audit Policies –> Logon/Logoff and set the Audit Logoff and Audit Logon policies to “Success”.
These policies are only required to collect the information on the originating workstation, i.e., the computer from which a change was made.

User-added image

Go Up