SACL's to enable Group Policy Objects Auditing

 

Policy that determines the security events to be reported to the network administrator.

 

To allow ADAP to report on Security events - the Audit Policy must be defined accordingly in your Auditing Policy settings of the ADUC (揂ctive Directory Users and Computers?console) on your Domain Controller machine.

 

To perform this procedure, you must be a member of the Domain Admins group or the Enterprise Admins group in Active Directory, or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure.   

  1. Open "Active Directory Users and Computers".  

    1. (Click ?span style="font-weight: bold;">Start? --> Click ?span style="font-weight: bold;">Control Panel?--> double-click ?span style="font-weight: bold;">Administrative Tools?  and then -->> double-click ?span style="font-weight: bold;">Active Directory Users and Computers ?

  2. In the console tree, right-click the "domain"

  3. Click 揚roperties? and then click the ?span style="font-weight: bold;">Security?tab.

  4. Click ?span style="font-weight: bold;">Advanced? to open the Window to enter 揂dvanced Security Settings for the Domain?/p>

  5. Click ?span style="font-weight: bold;">Add? to add the security principal you want to apply the security policy (In our case it is ?span style="font-weight: bold;">Everyone?  and click on OK

  6. This opens the window to select 揚ermission Entries for the Domain?/p>

To get the audit trail from Active Directory on the creation (or) deletion of Group Policy objects, you must enable the "Permission entries for the Domain"

  1. Select Apply onto : This object and all child objects

  2. Select the Success check box for the below Audit Entries

    1. Create groupPolicyContainer Objects

    2. Delete groupPolicyContainer Objects

To get the audit trail from Active Directory on Write All Properties, Delete, and Modify Permissions for  groupPolicyContainer objects, enable the below "Permission entries for the Domain"

  1. Select Apply onto : "groupPolicyContainer objects"

  2. Select the Success check box for the below Audit Entries

    1. Write All Properties

    2. Delete

    3. Modify Permissions

 

Table provides details on SACLs for GPO Auditing:

 

 

Object to set SACL on

Principal

Type

Accesses

Scope

SACLs to Create, Delete Group Policy Objects

Domain

Everyone

Success

  1. Create groupPolicyContainer Objects

  2. Delete groupPolicyContainer Objects

 

This object and all child objects

SACLs to Write All Properties, Delete, and Modify Permissions for  groupPolicyContainer objects

Domain

Everyone

Success

  1. Write All Properties

  2. Delete

  3. Modify Permissions

 

groupPolicyContainer objects

 

 

 

 

 

 

© 2017 卓豪(中国)技术有限公司,保留一切权利