Configuring Audit Policy to audit changes on Domain Controllers

 

In addition to configuring the Default Domain Controllers policy which allows to audit "Account Logon Events", "Account Management events", "Directory Service access" and "Logon Events" in the Domain, ADAP also allows one to audit local changes on the Domain Controllers. Local Changes on Domain Controllers listed below will be recorded in the security logs of respective servers depending upon the type of audit policy configured.

 

What changes are recorded in the Server?

1. Process starts or exits?

2. Audit Policy changes?

3. User Rights Assigned / Removed for users?

4. User Rights Assigned / Removed for groups?

5. Security Access Assigned / Removed for users?

6. Security Access Assigned / Removed for groups?

7. System time is changed?

8. Scheduled Task is Created/Modified/Deleted?

9. Local Account is Changed (Local Account Management - Users/Groups)?

Audit Policy Required for recording "Local Changes on Domain Controllers" in the Security logs:

 

To view reports on the above listed events corresponding audit policies are to be configured in the Member Servers. The Audit Policies to be configured include Audit Policy Change - Success / Failure. Audit Process Tracking - Success. Audit System Events - Success / Failure.

1. Log on to Windows with an account that has Administrator rights.

2. Ensure that the Group Policy snap-in is installed.

3. Open the GPMC (Group Policy Management Console).

4. Edit the GPO that is applied on all selected Member Servers (How to select Member Servers) that require audit reporting.

5. Click on the "Group Policy Object" and click on "Edit"

6. This will direct you to "Group Policy Management Editor"

7. Navigate to "Audit Policy" node,

"Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Audit Policy"

9. Configure

Audit Policy Change - Success / Failure. Audit Process Tracking - Success. Audit System Events - Success / Failure.