Configure an Audit Log to audit Active Directory Changes

When we have to administrate a medium infrastructure with some domain controllers and we need to activate the Audit Log in order to audit changes in Active Directory, we know that will registered lots of changes, and we need to be aware to know how made them, in case some bad things happens and we need to found out who made what.

Define which events we need to log in event viewer

So I've visited some sources to get to known what do i need to log, here is one of the Microsoft pages:

https://support.microsoft.com/en-nz/help/814595/how-to-audit-active-directory-objects-in-windows-server-2003

The title is a little erroneous, cause it applies to several windows versions, i'm going to apply it to windows 20082 and windows 2012r2.

So these are  the event ID's i need:

Security log to find event ID's (Windows Server 2003/2008-2012):

4727, 4731, 4754, 4759, 4744, 4749 – Group created
4735, 4737, 4745, 4750, 4755, 4760 – Group changed
4730, 4734, 4758, 4748, 4753, 4763 – Group deleted
4728, 4732, 4756, 4761, 4746, 4751 – Member added to a group
4729, 4733, 4757, 4762, 4747, 4752 – Member removed from a group
5137- OU created
5139- OU moved
5136- OU renamed

4662 - An operation was performed on an object (Type: Directory Service Access).


Create a Group Policy

So now that i know what i need, i need to create a Group Policy to audit these events.

1. Run Group Policy Management Console (GPMC.msc) and create a new Group Policy:

2. Edit the GPO

Computer Configuration → Policies → Windows Settings → Security Settings → Local Policies → Audit Policy:

Audit account management → Define → Success

Audit directory service access → Define → Success.

Computer Configuration → Policies → Windows Settings → Security Settings → Advanced Audit Configuration → DS Access → Audit Policy:

Audit Directory Service Changes

Then go back to Security Settings level → Event Log:

Maximum security log size → Define to 4 Gb 

Retention method for security log → Define to Overwrite events as needed.

3. Apply the GPO to the Organizational Unit (OU) containing your Domain Controllers.

4. Apply Group Policy and restart Domain Controllers

5. Check if audit logs are shown in Security Event Viewer.

6. Create a custom view in Event Viewer to visualize only the selected events

This example i only choose changes to Organizational Units (OU)

 Install a Syslog Service

I've been wandering about a syslog service in the internet, and found some, there are good service out there, for this purpose i choosed Kiwi Syslog Server from SolarWinds, the free version supports 5 devices, and that's enough for what i needed.

Later i will explore the Syslog Service in another article.

Here some of my sources:

Audit AD Changes - https://ithompson.wordpress.com/tag/organizational-unit-move/