Introducing ADAudit Plus' Attack Surface Analyzer—Detect 25+ AD attacks and identify risky Azure configurations. Learn more×
 
Support
 
Phone Get Quote
 
Support
 
US: +1 888 720 9500
US: +1 888 791 1189
Intl: +1 925 924 9500
Aus: +1 800 631 268
UK: 0800 028 6590
CN: +86 400 660 8680

Direct Inward Dialing: +1 408 916 9892

 

How to monitor administrator user activities in Active Directory

Start your free trial

In Active Directory (AD), users with administrative privilege have complete and unrestricted access across the domain to modify AD objects and their attributes. User accounts that are members of the Domain Admins group or other groups with admin privileges must be monitored for suspicious behavior. These accounts can pose serious security threats if they're in the hands of unauthorized agents. Read on to learn how to monitor actions performed by administrator accounts through Windows' native auditing and by using ManageEngine ADAudit Plus.

Steps to enable auditing using the Group Policy Management Console (GPMC)

Perform the following actions on the domain controller (DC):

  1. Press Start, search for and open the Group Policy Management Console, or run the command gpmc.msc.
  2. How to monitor administrator user activities in Active Directory
  3. Right-click the domain or organizational unit (OU) that you want to audit, and click Create a GPO in this domain, and Link it here... If you have already created a Group Policy Object (GPO), go to step 4.
  4. How to monitor administrator user activities in Active Directory
  5. Name the GPO.
  6. Right-click the GPO, and choose Edit.
  7. How to monitor administrator user activities in Active Directory
  8. In the left pane of the Group Policy Management Editor, navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Audit Policy.
  9. How to monitor administrator user activities in Active Directory
  10. In the right pane, double-click Audit account logon events, and check the boxes next to Define these policy settings, Success, and Failure.
  11. How to monitor administrator user activities in Active Directory
  12. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Account Logon.
  13. How to monitor administrator user activities in Active Directory
  14. In the right pane, double-click Audit Credential Validation, and check the boxes next to Configure the following audit events, Success, and Failure.
  15. How to monitor administrator user activities in Active Directory
  16. Click Apply, then OK.
  17. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Account Management > Audit User Account Management,and check the boxes next to Configure the following audit events, Success, and Failure.
  18. How to monitor administrator user activities in Active Directory
  19. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Account Management > Audit Computer Account Management,and check the boxes next to Configure the following audit events, Success,and Failure.
  20. How to monitor administrator user activities in Active Directory
  21. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > DS Access > Audit Directory Service Changes, and check the boxes next to Configure the following audit events, Success, and Failure.
  22. How to monitor administrator user activities in Active Directory
  23. Go back to the Group Policy Management Console,and in the left pane, right-click the desired OU in which the GPO was linked, and click Group Policy Update... This step makes sure the new Group Policy settings are applied instantly instead of waiting for the next scheduled refresh.
  24. How to monitor administrator user activities in Active Directory

Steps to view these events using Event Viewer

Once the above steps are complete, events will be stored in the event log. These can be viewed in Event Viewer. However, before that, you need to figure out which users have administrator privileges. Perform the following actions on a domain controller (DC):

  1. Press Start, then search for and open the Active Directory Users and Computers console.
  2. How to monitor administrator user activities in Active Directory
  3. Navigate to the organizational unit,<Domain name>Domain name > Users, and double-click the group labeled Domain Admins.Switch to the members tab. Here you will find a list of users with admin rights.
  4. How to monitor administrator user activities in Active Directory
  5. Press Start,search for Event Viewer, and click on it to open it.
  6. In the left pane, right click Custom Views,and select Create Custom View....
  7. How to monitor administrator user activities in Active Directory
  8. In the Create Custom View window, switch to the XML tab,check the box next to Edit Query Manually,and click Yes in the pop-up warning dialog box.
  9. In the query field, enter the following query:
  10. <QueryList>
    <Query Id="0" Path="Security">
    <Select Path="Security">
    *[EventData[Data[@Name='SubjectUserName'] and(Data='<username>')]]
    </Select>
    </Query>
    </QueryList>

    *replace <username> with the desired administrator username.

    How to monitor administrator user activities in Active Directory
  11. Click OK,and name the Custom View. Now you can see a list of Event IDs related to actions performed by the administrator account under Custom Views.
  12. How to monitor administrator user activities in Active Directory

The above method is unrealistic when you have to deal with numerous administrators and thousands of events. As an administrator, you would have to manually look up each event to view its details.

ADAudit Plus, a comprehensive AD auditing tool, helps you audit all changes to your Active Directory, including those performed by administrator accounts.

Steps to monitor administrator user activity using ManageEngine ADAudit Plus

  1. Download and install ADAudit Plus.
  2. Find the steps to configure auditing on your domain controller here.
  3. Open the console, and log in as an administrator.
  4. Navigate to Reports > Account Management > Administrative User Actions
1
 

View user, computer, group, and organizational unit management activities performed by administrator accounts.

How to monitor administrator user activities in Active Directory
1
 

View reports for specific users by selecting the user object, or perform an advanced search to view reports for a certain type of change.

How to monitor administrator user activities in Active Directory

Advantages of using ADAudit Plus over native auditing:

  • Get reports on changes to all AD objects by administrator accounts in one place, and get reports for any changes made by other users.
  • View out-of-the-box reports for changes to your Azure AD, and get real-time alerts for critical events.
  • Get notified upon detection of irregular user behavior. ADAudit Plus uses user behavior analytics (UBA) to create a baseline of normal user activity and alerts you when any user deviates from that behavior. For example, an unusually high volume of login attempts, logins occurring at unusual times, or the first time a user accesses a host remotely.
 

ADAudit Plus Trusted By