Audit policy settings to track Active Directory changes
The ability to track all changes that occur to any objects in Active Directory could provide insight into attacks and other misconfigurations. The good thing is that It is possible to track all changes to objects in Active Directory, if you have the correct policy settings enabled. Unfortunately, these policy configurations are not enabled by default, which means that little to no changes are tracked out of the box. However, configuring these policy settings is not difficult—the key is to know which settings are needed to track Active Directory object changes.
There are two different policy options to change, depending on which Windows Server operating system you are running for your domain controllers. If you are using Windows Server 2008 or earlier, you will need to configure the Audit Policy settings. If you are running Windows Server 2008 R2 or later, you should use the Advanced Audit Policy configurations. You are able to use the Audit Policy configurations for Windows 2008 R2 or later, but the Advanced Audit Policy options give increased insight into the object changes.
NOTE: If you have a mixture of old and new operating systems for your domain controllers, you can use a mixture of policy settings. The older domain controllers will automatically ignore the Advanced Audit Policy settings, so make sure that the Audit Policy settings are also configured.
To configure the Audit Policy settings, you will modify a GPO (group policy object) under the Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Audit Policy node, as shown in Figure 1.
Figure 1. Audit Policy configurations to track Active Directory object changes.
In summary, be sure to configure the following Audit Policy settings:
Audit Account Logon Success/Failure
Audit Account Management Success/Failure
Audit Directory Service Access Success
Audit Logon Events Success/Failure
Audit Audit Policy change Success/Failure
If you choose to use the Advanced Audit Policy configurations, you will configure the GPO under Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configurations\Audit Policy, as shown in Figure 2.
Figure 2. Advanced Audit Policy settings to track Active Directory object changes.
The detailed configurations for the Advanced Audit Policy include:
Audit Account Logon
Audit Kerberos Authentication Service - Success/Failure
Audit Account Management
Audit Computer Account Management - Success/Failure
Audit Distribution Group Management - Success/Failure
Audit Security Group Management - Success/Failure
Audit USer Account Management - Success/Failure
Audit DS Access
Audit Directory Service Changes - Success/Failure
Audit Directory Service Access - Success/Failure
Audit Logon/Logoff
Audit Logon - Success/Failure
Audit Logoff - Success/Failure
Audit Policy change
Audit Authentication Policy Change - Success/Failure
Audit Authorization Policy Change - Success/Failure
Audit System Events
Audit System Security Change - Success/Failure
You can either link the GPO containing these configurations to the domain controllers' organizational unit (OU) or to the domain level. Of course, if you link the GPO to the domain level, the settings will affect all computers in the domain, not just the domain controllers. If you just want to track changes to Active Directory objects, link the GPO to the domain controllers' OU.
You have now instructed the domain controllers to enable auditing to track the correct areas related to Active Directory object changes.
Hi, Nice write up & best practice configuration, but in real scenario it is not recommended to enable the Audit Directory Service Access – Success/Failure, because if we enable this & if the AD environment is very large it will generate lakhs of event in security logs, It was generating 20 lakh of record & fill the 3 GB security logs with 5 min. Have you not faced this issue?