Click here to shrink
Click here to expand Click here to expand

Configure audit policies in your domain - Manual Process

Configure advanced audit policies

Advanced audit policies help administrators exercise granular control over which activities get recorded in the logs, helping reduce event noise. We recommend configuring advanced audit policies on Windows Server 2008 and above.

  • Log in to any computer that has the Group Policy Management Console (GPMC) with Domain Admin credentials.
  • Open the GPMC and, based on your setup, right-click Default Domain Controllers Policy or ADAuditPlusMSPolicy or ADAuditPlusWSPolicy, and select Edit.

    • Note: For the appropriate group policy, refer to the table below:

    To enable FIM on Right-click
    Domain controller Default Domain Controllers Policy GPO
    Windows server ADAuditPlusMSPolicy GPO
    Workstation ADAuditPlusWSPolicy GPO
  • In the Group Policy Management Editor, go to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration, and configure the following settings:
    • Category Subcategory Audit events
    Object Access
    • Audit File System
    • Audit File Share
    • Audit Handle Manipulation
    • Success, Failure
    • Success
    • Success, Failure

    Configure advanced audit policies

Force advanced audit policies

When using advanced audit policies, ensure they are forced over legacy audit policies.

  • Log in to any computer that has the GPMC with Domain Admin credentials.
  • Open the GPMC and, based on your setup, right-click Default Domain Controllers Policy or ADAuditPlusMSPolicy or ADAuditPlusWSPolicy, then select Edit.

    • To enable FIM on Right-click
    Domain controller Default Domain Controllers Policy GPO
    Windows server ADAuditPlusMSPolicy GPO
    Workstation ADAuditPlusWSPolicy GPO
  • In the Group Policy Management Editor, go to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options.
  • Right-click Audit: Force audit policy subcategory settings from the right pane.
  • Select Properties, then choose Enabled.

    • Force advanced audit policies

Configure legacy audit policies

Due to the unavailability of advanced audit policies in Windows Server 2003 and earlier versions, legacy audit policies need to be configured for these types of servers.

  • Log in to any computer that has the GPMC with Domain Admin credentials.
  • Open the GPMC and, based on your setup, right-click Default Domain Controllers Policy or ADAuditPlusMSPolicy or ADAuditPlusWSPolicy, then select Edit.

    • To enable FIM on Right-click
    Domain controller Default Domain Controllers Policy GPO
    Windows server ADAuditPlusMSPolicy GPO
    Workstation ADAuditPlusWSPolicy GPO
  • In the Group Policy Management Editor, go to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies.
  • Double-click Audit Policy.
  • Right-click on the Object Access policy in the right pane.
  • Select Properties, then check the box next to Success.

    • Configure legacy audit policies

Don't see what you're looking for?

  •  

    Visit our community

    Post your questions in the forum.

     
  •  

    Request additional resources

    Send us your requirements.

     
  •  

    Need implementation assistance?

    Try OnboardPro

     

On this page

Copyright © 2020, ZOHO Corp. All Rights Reserved.

Get download link