1. Grant the user the Manage auditing and security log right
The Manage auditing and security log right allows the user to define object level auditing.
- Log in to your Domain Controller with Domain Admin privileges→ Open the Group Policy Management Console → Right click on the "ADAudit Plus Permission GPO" → Edit.
- In the Group Policy Management Editor → Computer Configuration → Policies → Windows Settings → Security Settings → Local Policies → User Rights Assignment.
- Navigate to the right panel, right click on Manage auditing and security log → Properties →Add the "ADAudit Plus" user.
2. Make the user a member of the Event Log Readers group
Members of the event log readers group will be able to read the event logs of all the audited computers.
- For Domain Controllers :
Log in to your Domain Controller with Domain Admin privileges → Open Active Directory Users and Computers → Builtin Container → Navigate to the right panel, right click on Event Log Readers → Properties → Members →Add the "ADAudit Plus" user.
- For other computers (Windows servers and workstations):
a.Log in to your Domain Controller with Domain Admin privileges→ Open the Group Policy Management Console → Right click on the "ADAudit Plus Permission GPO" → Edit.
b. In the Group Policy Management Editor → Computer Configuration →Preferences → Control Panel Settings → Right click on Local Users and Groups → New → Local Group → Select Event Log Readers group under group name → Add the "ADAudit Plus" user.
Note: To read the event logs, you also need to grant the "ADAudit Plus" user Read permission over HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security.
- Log in to your Domain Controller with Domain Admin privileges → Open the Group Policy Management Console → Right click on the "ADAudit Plus Permission GPO" → Edit.
- In the Group Policy Management Editor → Computer Configuration → Policies → Windows Settings → Security Settings → Right-click Registry → Add Key.
- In the Select Registry Key Window, navigate to MACHINE → SYSTEM → CurrentControlSet → Services → EventLog → Security → Click OK → Grant Read permission to "ADAudit Plus" user → Click Apply.
- In the Add Object window, select Configure this key then → Replace existing permissions on all subkeys with inheritable permissions → Click OK.
