Windows 2008 R2 has much more and better features than its predecessors. It also wins in the native auditing part when it comes to audit the Active Directory objects. With granular control, you can easily figure out almost every change in the IT infrastructure. This also helps you to identify who’ve made what change, when, and from where; but needs more in-depth investigations. In this article, we’ll discuss the steps involved in enabling the audit of Active Directory Objects in Windows 2008 R2.
How to Enable Global Audit Policy
Follow below steps to enable the Global Audit Policy in Windows Server 2008 R2,
1. Go to Start > Administrative Tools > Group Policy Management. This will open the following window.
Figure: Group Policy Management
2. In the Left Hand Panel, expand Domains > (your domain) > Domain Controllers and then click “Default Domain Controllers Policy” as show below.
Figure: Browsing “Default Domain Controllers Policy” Node
3. Selecting this will display a warning message that making any changes in this policy will be global to the GPO and affect other locations.
Figure: Global Policy Modification Warning
4. Read the warning and click “OK” button to proceed.
5. You can also check the box titled “Do not show this message again”, if you want.
6. Now, do a right click on the “Default Domain Controllers Policy” and select Edit to display the following window.
Figure: Group Policy Management Editor
7. You’ve to browse through Computer Configurations > Policies > Windows Settings > Security Settings > Local Policies > Audit Policy, to access the auditing policies as show herein below.
Figure: Audit Policy
8. Here, you can access the following audit policies.
i) Audit account logon events
ii) Audit account management
iii) Audit directory service access
iv) Audit logon events
v) Audit object access
vi) Audit policy change
vii) Audit privilege use
viii) Audit process tracking
ix) Audit system events
9. Double click “Audit directory service access” to display the following dialog box.
Figure: Properties of the “Audit directory service access” policy
10. Check “Define these policy settings” and then check both “Success” and “Failure” attempts.
11. Click “Apply” and “OK” button to enable the “Audit directory service access” auditing.
12. (Optional) In the similar way, you can enable the auditing of other available policies.
Enabling the Advanced Audit Policies
1. In the same Group Policy Management Editor, go to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration. This contains a node titled “Audit Policies”, which contains the auditing policies’ subcategories.
Figure: Advanced Audit Policy Configuration node
2. Expand the node “Audit Polices” to access the nodes, which are the categories of events in fact. Each category contains the advanced polices, which has to be enabled one-by-one. The categories are listed herein below: -
a. Account Logon