To capture complete and accurate Active Directory audit events, including actor and source attribution, configure the following:
-
Windows Advanced Audit Policies on domain controllers
-
System Access Control Lists (SACLs) on directory partitions
Both configurations are required for full-fidelity auditing.
SACL configuration
Note
Clear all Read and List permissions to avoid high volumes of event log activity.
Domain partition
-
Open Active Directory Users and Computers.
-
Under the View menu, enable Advanced Features.
-
Right-click the domain, and then select Properties.
-
On the Security tab, click Advanced.
-
On the Auditing tab, configure the following SACLs.
-
Settings:
-
Principal: Everyone
-
Type: Success
-
Applies to: This object and all descendant objects
-
-
Permissions:
-
Write all properties
-
Delete
-
Delete subtree
-
Modify permissions
-
Modify owner
-
Create all child objects
-
Delete all child objects
-
-
Configuration partition
-
Open Active Directory Sites and Services.
-
Right-click the domain, and then select Properties.
-
On the Security tab, click Advanced.
-
On the Auditing tab, configure the following SACLs.
-
Settings:
-
Principal: Everyone
-
Type: Success
-
Applies to: This object and all descendant objects
-
-
Permissions:
-
Write all properties
-
Delete
-
Delete subtree
-
Modify permissions
-
Modify owner
-
Create all child objects
-
Delete all child objects
-
-
Audit policy configuration
Use Group Policy (GPO) to enable auditing consistently across all domain controllers.
-
Open Group Policy Management Console (gpmc.msc).
-
Edit or create a policy linked to the Domain Controllers OU.
-
Go to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies.
-
Enable auditing for the following policies.
Account Logon
| Subcategory | Setting |
|---|---|
| Audit Credential Validation | Success, Failure |
| Audit Kerberos Authentication Service | Success, Failure |
| Audit Kerberos Service Ticket Operations | Failure |
| Audit Other Account Logon Events | Success, Failure |
Account Management
| Subcategory | Setting |
|---|---|
| Audit Computer Account Management | Success |
| Audit Other Account Management Events | Success, Failure |
| Audit Security Group Management | Success |
| Audit User Account Management | Success, Failure |
Detailed Tracking
| Subcategory | Setting |
|---|---|
| Audit Token Right Adjusted Events | Success, Failure |
DS Access
| Subcategory | Setting |
|---|---|
| Audit Detailed Directory Service Replication | Success, Failure |
| Audit Directory Service Changes | Success |
Logon/Logoff
| Subcategory | Setting |
|---|---|
| Audit Account Lockout | Success, Failure |
| Audit Logoff | Success |
| Audit Logon | Success, Failure |
| Audit Other Logon/Logoff Events | Success, Failure |
| Audit Special Logon | Success, Failure |
Policy Change
| Subcategory | Setting |
|---|---|
| Audit Audit Policy Change | Success, Failure |
| Audit Authentication Policy Change | Success, Failure |
| Audit Authorization Policy Change | Success, Failure |
| Audit Filtering Platform Policy Change | Success, Failure |
| Audit MPSSVC Rule-Level Policy Change | Success, Failure |
| Audit Other Policy Change Events | Success, Failure |
Privilege Use
| Subcategory | Setting |
|---|---|
| Audit Sensitive Privilege Use | Success, Failure |
Applying the policy
-
Link the Group Policy Object to the Domain Controllers OU.
-
Run the following command on each domain controller:
gpupdate /force
Best practice
Use a centralized GPO to ensure consistent auditing across all domain controllers.