Big savings, Better ROI! Exclusive discounts on ManageEngine Products!* Boost your business *T&C apply
    Click here to shrink
    Click here to expand Click here to expand

    Configuring object level auditing - Manual configuration

    Object level auditing must be configured to ensure that events are logged whenever any Active Directory object related activity occurs.

    Configuring auditing for OU, GPO, user, group, computer, and contact objects

    • Log in to any computer that has the Active Directory Users and Computers, with Domain Admin credentials → Open ADUC.
    • Click on View and ensure that Advanced Features is enabled. This will display the advanced security settings for selected objects in Active Directory Users and Computers.

    • Right click on domain → Properties → Security → Advanced → Auditing → Add.
    • In the Auditing Entry window → Select a principal: Everyone → Type: Success → Select the appropriate permissions, as directed in the table below.
    • Note: Use Clear all to remove all permissions and properties before selecting the appropriate permissions.


    Auditing Entry number Auditing Entry for Access Apply onto
    Windows Server 2003 Windows Server 2008 and above
    1&2 OU
    • Create Organizational Unit objects
    • Delete Organizational Unit objects
    This object and all child objects This object and all descendant objects
    • Write All Properties
    • Delete
    • Modify Permissions
    Organizational Unit objects Descendant Organizational Unit objects
    3&4 GPO
    • Create groupPolicyContainer Objects
    • Delete groupPolicyContainer Objects
    This object and all child objects This object and all descendant objects
    • Write All Properties
    • Delete
    • Modify Permissions
    groupPolicyContainer objects Descendant groupPolicyContainer objects
    5&6 User
    • Create User Objects
    • Delete User Objects
    This object and all child objects This object and all descendant objects
    • Write All Properties
    • Delete
    • Modify Permissions
    • All Extended Rights
    User objects Descendant User objects
    7&8 Group
    • Create Group Objects
    • Delete Group Objects
    This object and all child objects This object and all descendant objects
    • Write All Properties
    • Delete
    • Modify Permissions
    • All Extended Rights
    Group objects Descendant Group objects
    9& 10 Computer
    • Create Computer Objects
    • Delete Computer Objects
    This object and all child objects This object and all descendant objects
    • Write All Properties
    • Delete
    • Modify Permissions
    • All Extended Rights
    Computer objects Descendant Computer objects
    11&12 Contact
    • Create Contact Objects
    • Delete Contact Objects
    This object and all child objects This object and all descendant objects
    • Write All Properties
    • Delete
    • Modify Permissions
    Contact objects Descendant Computer objects

    active-directory-audit-configuring-auditing-for-ou-gpo-usergroup-computer-contact-objects

    Image displaying: Auditing Entry number 1.

    Note: All 12 Auditing Entries must be enabled.

    To audit container objects

    • Log in to any computer that has the Active Directory Service Interfaces snap-in → Open the ADSI Edit console → Right click on ADSI Edit → Connect to.
    • In the Connection Settings window → Under Select a Well-Known Naming Context → Select 'Default Naming Context'.
    • Navigate to the left panel → Click on Default naming context → Right click on domains distinguished name → Select properties → Security → Advanced → Auditing → Add.
    • In the Auditing Entry window → Select a principal: Everyone → Type: Success → Select the appropriate permissions, as directed in the table below.
    • Note: Use Clear all to remove all permissions and properties before selecting the appropriate permissions.

      Auditing Entry Access Apply onto
      Windows Server 2003 Windows Server 2008 and above
      Container
      • Write All Properties
      • Delete
      • Modify Permissions
      Container objects Descendant Container objects

      active-directory-audit-to-audit-container-objects

    Configuring auditing for password setting objects

    • Log in to any computer that has the Active Directory Service Interfaces snap-in → Open the ADSI Edit console → Right click on ADSI Edit → Connect to.
    • In the Connection Settings window → Under Select a Well-Known Naming Context → Select 'Default Naming Context'.
    • Navigate to the left panel → Click on Default naming context → Expand the domain → Expand the System container → Right click on the Password Settings Container → Properties → Security → Advanced → Auditing → Add.
    • In the Auditing Entry window → Select a principal: Everyone → Type: Success → Select the appropriate permissions, as directed in the table below.
    • Note: Use Clear all to remove all permissions and properties before selecting the appropriate permissions.

      Auditing Entry number Auditing Entry for Access Apply onto
      Windows Server 2003 Windows Server 2008 and above
      1&2 Password Settings Container
      • Create msDS-PasswordSettings objects
      • Delete msDS-PasswordSetting objects
      Not Applicable This object and all descendant objects
      • Write All Propertie
      • Delete
      • Modify Permissions
      Not Applicable Descendant msDS-PasswordSettings objects

    active-directory-audit-configuring-auditing-for-password-setting-objects

    Image showing: Auditing Entry number 1.

    Note: Both Auditing Entries must be enabled.

    Configuring auditing for configuration objects

    • Log in to any computer that has the Active Directory Service Interfaces snap-in → Open the ADSI Edit console → Right click on ADSI Edit →Connect to.
    • In the Connection Settings window → Under Select a Well-Known Naming Context → Select Configuration.
    • Navigate to the left panel → Click on Configuration → Right click on Configuration naming context → Select properties → Security → Advanced → Auditing → Add.
    • In the Auditing Entry window → Select a principal: Everyone → Type: Success → Select the appropriate permissions, as directed in the table below.
    • Note: Use Clear all to remove all permissions and properties before selecting the appropriate permissions.

      Auditing Entry for Access Apply onto
      Windows Server 2003 Windows Server 2008 and above
      Configuration
      • Create All Child objects
      • Write All Properties
      • Delete All child objects
      • Delete
      • Modify Permissions
      • All Extended Rights
      This object and all child objects This object and all

      active-directory-audit-configuring-auditing-for-configuration-objects

    Configuring auditing for schema objects

    • Log in to any computer that has the Active Directory Service Interfaces snap-in → Open the ADSI Edit console → Right click on ADSI Edit → Connect to.
    • In the Connection Settings window → Under Select a Well-Known Naming Context → Select Schema
    • Navigate to the left panel → Click on Schema → Right click on Schema naming context → Select properties → Security → Advanced → Auditing → Add.
    • In the Auditing Entry window → Select a principal: Everyone → OK → Type: Success → Select the appropriate permissions, as directed in the table below.
    • Note: Use Clear all to remove all permissions and properties before selecting the appropriate permissions.

    Auditing Entry for Access Apply onto
    Windows Server 2003 Windows Server 2008 and above
    Schema
    • Create All Child objects
    • Write All Properties
    • Delete All child objects
    • Delete
    • Modify Permissions
    • All Extended Rights
    This object and all child objects This object and all descendant objects

    Configuring auditing for DNS objects

    1. Log in to any computer that has the Active Directory Service Interfaces snap-in → Open the ADSI Edit console → OK → Right click on ADSI Edit → Connect to.
    2. In the Connection Settings window → Under Select or type a Distinguished Name or Naming Context → Type the distinguished name, as per your domain name and the partition where the zone is stored.
      • Type DC=adap, DC=internal,DC=com as the Distinguished Name. (This partition is generally loaded in Adsiedit by default)
      • Type DC=DomainDNSZones,DC=adap,DC=internal,DC=com as the Distinguished Name.
      • Type DC=ForestDNSZones,DC=adap,DC=internal,DC=com as the Distinguished Name.

      active-directory-audit-configuring-auditing-for-dns-objects

      dns-domain-zone

    3. Navigate to the left panel → Click on Default naming context → Right click on MicrosoftDNS→ Select properties → Security → Advanced → Auditing → Add.
    4. iv. In the Auditing Entry window → Select a principal → Everyone → OK → Type: Success → Select the appropriate permissions, as directed in the table below.
    5. dns-auditing-entry

      Note: Use Clear all to remove all permissions and properties before selecting the appropriate permissions.

    Auditing Entry number Auditing Entries for Access Apply onto
    Windows Server 2003 Windows Server 2008 and above
    1&2 DNS Zones
    • Create DNS Zones objects
    • Delete DNS Zones objects
    This object and all child objects This object and all descendant objects
    • Write All Properties
    • Delete
    • Modify Permissions
    DNS Zone objects Descendant DNS Zone objects
    3&4 DNS Nodes
    • Create DNS Nodes objects
    • Delete DNS Nodes objects
    This object and all child objects Descendant DNS Zone objects
    • Write All Properties
    • Delete
    • Modify Permissions
    DNS Node objects Descendant DNS Node objects

    Note:Repeat steps iii. and iv. for the remaining 2 default naming contexts.

    dns-forest-zone

    Don't see what you're looking for?

    •  

      Visit our community

      Post your questions in the forum.

       
    •  

      Request additional resources

      Send us your requirements.

       
    •  

      Need implementation assistance?

      Try onboarding

       

    On this page

    Get download link