This article was also published on the Microsoft TechNet Blog CZ/SK under the title Auditing AD DS Objects in Windows Server 2008 and in the Microsoft section on Živě Auditing AD DS Objects in Windows Server 2008.
The situation around auditing events on AD DS is not simple. We need to carefully consider what we want to monitor. Whether we are interested in suspicious operations, failed events, or oversight of account creation and deletion. Using Directory Service Access (DS Access) and detailed SACL configuration, we can monitor thousands of data points (and poorly configured settings will only fill up the log). The main thing here is to understand and properly configure the SACL filtering.
Moreover, using DS Access is not the only option, although it is presented by Microsoft everywhere. We also have the Account Management category. We can use these events to monitor changes to local accounts on a station, but also to domain accounts on a domain controller. This category offers fewer options, but its configuration is simpler. And sometimes it complements the information we get from DS Access. Moreover, I think this category may be sufficient for many people and they don't even need to use DS Access for logging.
Auditing the DS Access Category
To enable auditing, we need to perform several steps:
- Enable auditing - we have two options
- Globally using the audit policy
- For individual subcategories - supported from Windows Server 2008, again two options
- using the auditpol.exe command
- using the new Advanced Audit Policy - supported from Windows Server 2008 R2
- Select in detail which operations for which objects we want to monitor - using SACL
- (Optional) Set exceptions for attributes - by modifying the AD schema - by setting the searchFlags attribute to 256 for the object we don't want to log, we won't go into this area here
Enabling Global Auditing
On the DC, we apply a policy that globally enables auditing. We can do this, for example, in the Default Domain Controllers Policy.
- Run Group Policy Management
- Open the policy, e.g. Default Domain Controllers Policy, in the Group Policy Management Editor
- Navigate to Computer Configuration/Policies/Windows Settings/Security Settings/Local Policies/Audit Policy
- Open the Audit directory service access item
- Check Define these policy settings and choose whether we want to monitor successful and failed events - Success and Failed
Enabling Auditing for Subcategories
From Windows Server 2008, we can select the subcategory we want to audit. It's not mandatory, if we set the policy from the previous point, all subcategories for the given category will be enabled. By default (without a policy), only Directory Service Access auditing on Success is enabled on the server. The individual subcategories are:
- Directory Service Access
- Directory Service Changes
- Directory Service Replication
- Detailed Directory Service Replication
Configuration using auditpol.exe
If we don't have Windows Server 2008 R2, we can't use Group Policy to set the individual subcategories, but we can use the command line tool auditpol.exe. The configuration must be done on individual domain controllers and gradually on all where we want it to be applied.
We can list the individual subcategories (all or from some category)
Auditpol /list /subcategory:* Auditpol /list /subcategory:"DS Access"
We can backup the settings
Auditpol /backup /file:C:\auditpolicy.csv
We can check the current settings (all values or from our category)
Auditpol /get /category:* Auditpol /get /category:"DS Access"
And then we can change the settings (enable or disable individual subcategories)
Auditpol /set /subcategory:"directory service changes" /success:enable Auditpol /set /subcategory:"Detailed Directory Service Replication" /success:disable /failure:disable
Most of the commands must be run on the server and the configuration done on the DC. If we try to do something on a workstation or without administrator privileges (Run as administrator), we'll get an error message:
Auditpol /get /category:* Error 0x00000522 occurred: A required privilege is not held by the client.
Configuration using Group Policy
Windows Server 2008 R2 (and Windows 7) was expanded with the ability to configure auditing at the subcategory level using Group Policy. These policies are located in a slightly different place in the Advanced Audit Policy Configuration group.
- Run Group Policy Management
- Open the policy, e.g. Default Domain Controllers Policy, in the Group Policy Management Editor
- Navigate to Computer Configuration/Policies/Windows Settings/Security Settings/Advanced Audit Policy Configuration/Audit Policy/DS Access
- Open the Audit directory service access item
- Select the individual subcategories and set Success or Failed for them
When we set a value from the Advanced Audit Policy Configuration, all values from the Local Policies/Audit Policy are automatically disabled. However, it is still recommended to set a policy that takes care of this:
- Navigate to Computer Configuration/Policies/Windows Settings/Security Settings/ Local Policies/Security Options
- Open the Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings item
- and enable it - Enabled
Specifying Which Objects We Want to Monitor - SACL
Setting the System Access Control List - SACL allows logging access to secured objects, specifying which operation and by whom performed is logged. Until we set the SACL appropriately, no records will be created!
- Using ADUC (Active Directory Users and Computers), we select the object (usually an OU or the whole domain)
- Right-click and choose Properties
- Switch to the Security tab
- Click the Advanced button
- Switch to the Auditing tab
Here we see the already configured SACL. Adding a new one:
- Click the Add button
- Select who we want to perform the logging for, usually Authenticated Users or Everyone
- On the Object tab, we can set the operations we want to monitor, for example Create User objects and check whether we want to monitor Failed or Successful
- On the Properties tab, we can specify the Read/Write operation directly
- On both tabs, we can specify the objects to which we want to apply it (then only the possible options will be displayed), in the Apply onto, for example Descendant User objects
We need to carefully consider which operation and on what applied (Apply onto). For example, we need to monitor the creation of a new object (user) on the parent object (i.e. probably an OU). A change of some value must be monitored on the given object as a write property.
Events from the DS Access Category and Their IDs
Auditing generates events in the Security log. Here is a list of events in the individual subcategories, you can officially find this list on the Microsoft website DS Access.
Audit Directory Service Changes
- Event ID 5136 - A directory service object was modified.
- Event ID 5137 - A directory service object was created.
- Event ID 5138 - A directory service object was undeleted.
- Event ID 5139 - A directory service object was moved.
- Event ID 5141 - A directory service object was deleted.
Audit Directory Service Access
- Event ID 4662 - An operation was performed on an object.
Audit Directory Service Replication
- Event ID 4932 - Synchronization of a replica of an Active Directory naming context has begun.
- Event ID 4933 - Synchronization of a replica of an Active Directory naming context has ended.
Audit Detailed Directory Service Replication
- Event ID 928 - An Active Directory replica source naming context was established.
- Event ID 4929 - An Active Directory replica source naming context was removed.
- Event ID 4930 - An Active Directory replica source naming context was modified.
- Event ID 4931 - An Active Directory replica destination naming context was modified.
- Event ID 4934 - Attributes of an Active Directory object were replicated.
- Event ID 4935 - Replication failure begins.
- Event ID 4936 - Replication failure ends.
- Event ID 4937 - A lingering object was removed from a replica.
Auditing the Account Management Category
Configuring auditing for the Account Management category is much simpler. It consists only of enabling auditing for the given category. And as with DS Access, we can do it in two ways:
- Globally using the audit policy
- For individual subcategories - supported from Windows Server 2008, again two options
- using the auditpol.exe command
- using the new Advanced Audit Policy - supported from Windows Server 2008 R2
Enabling Global Auditing
We enable auditing the same way as in the DC Access category, which means preferably through Group Policy. This time, we just select the Audit account management item.
Enabling Auditing for Subcategories
Again, we can select only some subcategories using the auditpol.exe command or the Advanced Audit Policy Configuration policy. The Account Management category contains the following subcategories:
- Audit Application Group Management
- Audit Computer Account Management
- Audit Distribution Group Management
- Audit Other Account Management Events
- Audit Security Group Management
- Audit User Account Management
Events from the Account Management Category and Their IDs
Auditing again generates events in the Security log. Here is a list of events in the individual subcategories, you can officially find this list on the Microsoft website Account Management.
Audit User Account Management
- Event ID 4720 - A user account was created
- Event ID 4722 - A user account was enabled
- Event ID 4723 - An attempt was made to change an account's password
- Event ID 4724 - An attempt was made to reset an account's password
- Event ID 4725 - A user account was disabled
- Event ID 4726 - A user account was deleted
- Event ID 4738 - A user account was changed
- Event ID 4740 - A user account was locked out
- Event ID 4765 - SID History was added to an account
- Event ID 4766 - An attempt to add SID History to an account failed
- Event ID 4767 - A user account was unlocked
- Event ID 4780 - The ACL was set on accounts which are members of administrators groups
- Event ID 4781 - The name of an account was changed
- Event ID 4794 - An attempt was made to set the Directory Services Restore Mode
- Event ID 5376 - Credential Manager credentials were backed up
- Event ID 5377 - Credential Manager credentials were restored from a backup
Audit Computer Account Management
- Event ID 4741 - A computer account was created
- Event ID 4742 - A computer account was changed
- Event ID 4743 - A computer account was deleted
Audit Application Group Management
- Event ID 4783 - A basic application group was created
- Event ID 4784 - A basic application group was changed
- Event ID 4785 - A member was added to a basic application group
- Event ID 4786 - A member was removed from a basic application group
- Event ID 4787 - A non-member was added to a basic application group
- Event ID 4788 - A non-member was removed from a basic application group
- Event ID 4789 - A basic application group was deleted
- Event ID 4790 - An LDAP query group was created
Audit Distribution Group Management
- Event ID 4744 - A security-disabled local group was created
- Event ID 4745 - A security-disabled local group was changed
- Event ID 4746 - A member was added to a security-disabled local group
- Event ID 4747 - A member was removed from a security-disabled local group
- Event ID 4748 - A security-disabled local group was deleted
- Event ID 4749 - A security-disabled global group was created
- Event ID 4750 - A security-disabled global group was changed
- Event ID 4751 - A member was added to a security-disabled global group
- Event ID 4752 - A member was removed from a security-disabled global group
- Event ID 4753 - A security-disabled global group was deleted
- Event ID 4759 - A security-disabled universal group was created
- Event ID 4760 - A security-disabled universal group was changed
- Event ID 4761 - A member was added to a security-disabled universal group
- Event ID 4762 - A member was removed from a security-disabled universal group
Audit Other Account Management Events
- Event ID 4782 - The password hash for an account was accessed
- Event ID 4793 - The Password Policy Checking API was called
Audit Security Group Management
- Event ID 4727 - A security-enabled global group was created
- Event ID 4728 - A member was added to a security-enabled global group
- Event ID 4729 - A member was removed from a security-enabled global group
- Event ID 4730 - A security-enabled global group was deleted
- Event ID 4731 - A security-enabled local group was created
- Event ID 4732 - A member was added to a security-enabled local group
- Event ID 4733 - A member was removed from a security-enabled local group
- Event ID 4734 - A security-enabled local group was deleted
- Event ID 4735 - A security-enabled local group was changed
- Event ID 4737 - A security-enabled global group was changed
- Event ID 4754 - A security-enabled universal group was created
- Event ID 4755 - A security-enabled universal group was changed
- Event ID 4756 - A member was added to a security-enabled universal group
- Event ID 4757 - A member was removed from a security-enabled universal group
- Event ID 4758 - A security-enabled universal group was deleted
- Event ID 4764 - A group's type was changed
Messages in the Event Log
To find the records that interest us from the large number of logs in the Security log, we can use filtering.
- Open the Event Viewer
- Navigate to the Security section
- Right-click and choose Filter Current log
- In the Event sources column, select Microsoft Windows security auditing.
- In the Task category column, select all the categories that interest us, such as:
- Directory Service Changes
- Directory Service Access
- User Account Management
- Computer Account Management
Generally, it is of course assumed that we send the events to some server that processes them further. This can be a standard Syslog server (but we need to add a Syslog client to Windows so that the logs are sent) or the Microsoft SCOM (System Center Operations Manager).
Example Messages
A small example of what is logged if DS Access and Account Management are enabled for both Success and Failed events. The SACL is set on the entire domain for the Everyone user with Create/Delete User objects access. Interestingly, the 5141 event is not logged.
Creating a user
12:46:10 4662 An operation was performed on an object. / Object Access Create Child
12:46:10 4720 A user account was created.
12:46:10 4724 An attempt was made to reset an account's password.
12:46:10 4738 A user account was changed.
12:46:10 4722 A user account was enabled.
12:46:19 5137 A directory service object was created.
Deleting a user
13:01:52 4726 A user account was deleted.
There are no comments yet.