Active Directory Audit Checklist

by Robert Allen

To properly Audit Active Directory you must have the right policy settings enabled. These policy settings ensure your domain controllers are logging security events that meet your compliance and audit requirements.

The challenge is there are many audit policy settings to choose from which can be overwhelming and leave gaps in your auditing needs.

I have created a simple Active Directory Audit Checklist that you can download to use as a quick reference. This checklist will show you which audit settings to enable and the policy setting. These settings are taken from the Microsoft security compliance checklist. When using an Active Directory Audit Tool these policy settings will be required so your domain controllers can generate logs for the tool to analyze.

Active Directory Audit Policy Checklist

Free Audit Policy Checklist.

Active Directory Pro has created an audit policy checklist reference guide.

This free PDF can be used as a reference guide that shows you the recommended audit policy settings for Active Directory. These settings use the Microsoft security baseline recommendations.

Download PDF Checklist

The audit policy settings in this guide need to be configured in the Default Domain Controllers Policy GPO.

Policy Location:

Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration

audit policies gpo

Below are the recommended settings for the Advanced Audit Policy Configuration.

Account Logon

NamePolicy SettingDescription
Audit Credential ValidationFailureThis policy setting allows you to audit events generated by validation tests on user account logon credentials.
Audit Kerberos Authentication ServicesFailureThis policy setting allows you to audit events generated by Kerberos authentication ticket-granting ticket (TGT) requests.
Audit Kerberos Service Ticket OperationsSuccess and FailureThis policy setting allows you to audit events generated by Kerberos authentication ticket-granting ticket (TGT) requests submitted for user accounts.

Account Management

NamePolicy SettingDescription
Audit Computer Account ManagementSuccessThis policy setting allows you to audit events generated by changes to computer accounts such as when a computer account is created, changed, or deleted.
Audit Other Account Management EventsSuccessThis policy setting allows you to audit events generated by other user account changes that are not covered in this category, such as the following:
Audit Security Group ManagementSuccessThis policy setting allows you to audit events generated by changes to security groups such as the following:
Audit User Account ManagementSuccess and FailureThis policy setting allows you to audit changes to user accounts

Detailed Tracking

NamePolicy SettingDescription
Audit PNP ActivitySuccessThis policy setting allows you to audit when plug and play detects an external device.
Audit Process CreationSuccessThis policy setting allows you to audit events generated when a process is created or starts. The name of the application or user that created the process is also audited.

DS Access

NamePolicy SettingDescription
Audit Directory Service AccessFailureThis policy setting allows you to audit events generated when an Active Directory Domain Services (AD DS) object is accessed.
Audit Directory Service ChangesSuccessThis policy setting allows you to audit events generated by changes to objects in Active Directory Domain Services (AD DS). Events are logged when an object is created, deleted, modified, moved, or undeleted.

Logon/Logoff

NamePolicy SettingDescription
Audit Account LockoutFailureThis policy setting allows you to audit events generated by a failed attempt to log on to an account that is locked out.
Audit Group MembershipSuccessThis policy allows you to audit the group memberhsip information in the user’s logon token
Audit LogonSuccess and FailureThis policy setting allows you to audit events generated by user account logon attempts on the computer.
Audit Other Logon/Logoff EventsSuccess and FailureThis policy setting allows you to audit other logon/logoff-related events that are not covered in the “Logon/Logoff”.
Audit Special LogonSuccessThis policy setting allows you to audit events generated by special logons such as those with administrator equivalent privileges.

Object Access

NamePolicy SettingDescription
Audit Detailed File ShareFailureThis policy setting allows you to audit attempts to access files and folders on a shared folder.
Audit File ShareSuccess and FailureThis policy setting allows you to audit attempts to access a shared folder.
Audit Other Object Access EventsSuccess and FailureThis policy setting allows you to audit events generated by the management of task scheduler jobs or COM+ objects.
Audit Removable StorageSuccess and FailureThis policy setting allows you to audit user attempts to access file system objects on a removable storage device. A security audit event is generated only for all objects for all types of access requested.

Policy Change

NamePolicy SettingDescription
Audit Audit Policy ChangeSuccessThis policy setting allows you to audit changes in the security audit policy settings.
Audit Authentication Policy ChangeSuccessThis policy setting allows you to audit events generated by changes to the authentication policy
Audit MPSSVC Rule-Level Policy ChangeSuccess and FailureThis policy setting allows you to audit events generated by changes in policy rules used by the Microsoft Protection Service (MPSSVC)
Audit Other Policy Change EventsFailureThis policy setting allows you to audit events generated by other security policy changes that are not audited in the policy change category

Privilege Use

NamePolicy SettingDescription
Audit Sensitive Privilege UseSuccess and FailureThis policy setting allows you to audit events generated when sensitive privileges (user rights) are used.

System

Name Policy SettingDescription
Audit Other System EventsSuccess and FailureThis policy setting allows you to audit systems events such as the startup and shutdown of the Windows firewall.
Audit Security State ChangeSuccessThis policy setting allows you to audit systems events such as the startup and shutdown of the Windows firewall.
Audit Security System ExtensionSuccessThis policy setting allows you to audit events related to security system extensions or services
Audit System IntegritySuccess and FailureThis policy setting allows you to audit events that violate the integrity of the security subsystem

When you have these Windows audit policy settings enabled, the Active Directory Logs will be generated on your domain controllers. These logs can be viewed using the Windows event viewer but it is recommended to use an auditing tool to analyze them. By using the provided audit policy checklist you can ensure you have the policy settings enabled to perform auditing on your domain controller.

Leave a Comment