Setting Up Auditing In AD

Description:

So the other day, I was going through the Event Viewer on one of our domain controllers and noticed that we haven’t setup Auditing up. Yelp! Follow this post to setup auditing in your environment. NOTE: All of our servers are Server2012r2.

To Resolve:

1. Login to the Domain Controller

2. Create a new domain wide GPO (I placed mine a couple under the default domain policy)

3. Edit it like so:

Go to Computer Configuration\Policies\Windows Settings\Security Options
Enable “Audit: Force audit policy subcategory settings..”

Now go to Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\DS Access
Enable “Audit Directory Service Access” to success
Enable “Audit Directory Service Changes” to success

Now go to Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Account Logon
Enable all four and set them to “failure”

3. That’s it for the GPO. Now open up ADUC and click on View – Advanced Settings. This is so that we can get the Audit tab for the next step.

4. Right-click the top of the domain tree and bring up the properties. Select Security tab – Advanced – Auditing tab. Select the “Everyone” security principal, set Type to Success and Applies to: This object and all descendant objects.  For the permissions set the following:
Write all properties
Delete
Delete subtree
Modify permissions
Modify owner
All validated writes
All extended writes
Create all child objects
Delete all child objects

5. Run – eventvwr.msc. What I did here was purposely try to login to another server with the wrong password and verified that an event 4776 was recorded. It was. If you want to use a one liner in Powershell you could do something like:

6. Lastly, you’re going to want to put something in place that lets you know when these happen. A powershell script as a scheduled task works best. All credit goes to Dean Bunn.