configure advanced audit policy in active directory

Advanced Audit Policy Configuration

by

The advanced audit policy allows granular control over the auditing settings for Active Directory. These settings will allow you to monitor and track changes in Active Directory such as user activities, group membership changes, group policy changes and so on.

In this guide, I walk through how to configure the Advanced Audit Policy settings in Active Directory.

Step to Configure Advanced Audit Policy

Step 1. Open Group Policy Management Console

Step 2. Browse to the Domain Controller OU by expanding the Forest and Domains container. Right click and select edit on the Default Domain Controllers Policy. Optionally you can create a new GPO instead of modifying the default one.

default domain controllers policy

Step 3. Under Computer Configuration, click Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policy

advanced audit policy configuration

Step 5. Configure the audit policies based on your requirements. See the recommended settings below.

Recommended Advanced Audit Policy Settings

The below audit policy settings are based on the Windows server 2022 security baseline. These settings and more are available in the Microsoft Security Compliance Toolkit.

Policy PathPolicy Settings NameAudit Event Settings
Account LogonAudit Credential ValidationFailure
Account LogonAudit Kerberos Authentication ServiceSuccess and Failure
Account LogonAudit Kerberos Service Ticket OperationsFailure
Account LogonAudit Other Account Logon Events
Account ManagementAudit Application Group Management
Account ManagementAudit Computer Account ManagementSuccess
Account ManagementAudit Distribution Group Management
Account ManagementAudit Other Account Management EventsSuccess
Account ManagementAudit Security Group ManagementSuccess
Account ManagementAudit User Account ManagementSuccess and Failure
Detailed TrackingAudit DPAPI Activity
Detailed TrackingAudit PNP ActivitySuccess
Detailed TrackingAudit Process CreationSuccess
Detailed TrackingAudit Process Termination
Detailed TrackingAudit RPC Events
Detailed TrackingAudit Token Right Adjusted
DS AccessAudit Detailed Directory Service Replication
DS AccessAudit Directory Service AccessFailure
DS AccessAudit Directory Service ChangesSuccess
DS AccessAudit Directory Service Replication
Global Object Access AuditingFile system
Global Object Access AuditingRegistry
Logon/LogoffAudit Access Right
Logon/LogoffAudit Account LockoutFailure
Logon/LogoffGroup MembershipSuccess
Logon/LogoffIPsec Extended Mode
Logon/LogoffIPsec Main Mode
Logon/LogoffIPsec Quick Mode
Logon/LogoffAudit Logoff
Logon/LogoffAudit LogonSuccess and Failure
Logon/LogoffAudit Network Policy Server
Logon/LogoffAudit Other Logon/Logoff EventsSuccess and Failure
Logon/LogoffSpecial LogonSuccess
Logon/LogoffAudit User / Device Claims
Object AccessAudit Application Generated
Object AccessAudit Central Access Policy Staging
Object Access Audit Certification Services
Object AccessAudit Detailed File ShareFailure
Object AccessAudit File ShareSuccess and Failure
Object AccessAudit File System
Object AccessAudit Filtering Platform Connection
Object Access Audit Filtering Platform Packet Drop
Object AccessAudit Handle Manipulation
Object AccessAudit Kernel Object
Object AccessAudit Other Object Access EventsSuccess and Failure
Object AccessAudit Registry
Object AccessAudit Removable StorageSuccess and Failure
Object AccessAudit SAM
Policy ChangeAudit Audit Policy ChangeSuccess
Policy Change Audit Authentication Policy Change Success
Policy Change Audit Authorization Policy Change
Policy Change Audit Filtering Platform Policy Change
Policy ChangeAudit MPSSVC Rule-Level Policy ChangeSuccess and Failure
Policy ChangeAudit Other Policy Change EventsFailure
Privilege UseAudit Non-Sensitive Privilege Use
Privilege UseAudit Other Privilege Use Events
Privilege UseAudit Sensitive Privilege UseSuccess and Failure
SystemAudit IPsec Driver
SystemAudit Other System EventsSuccess and Failure
SystemAudit Securty State ChangeSuccess
SystemAudit Security System ExtensionSuccess
SystemAudit System IntegritySuccess and Failure

Verify Audit Policy Settings

You can quickly check your audit policy settings with the below command. 

auditpol.exe /get /category:*
verify advanced audit policy settings

Related Articles