Introducing ADAudit Plus' Attack Surface Analyzer—Detect 25+ AD attacks and identify risky Azure configurations. Learn more×
 
Support
 
Phone Get Quote
 
Support
 
US: +1 888 720 9500
US: +1 888 791 1189
Intl: +1 925 924 9500
Aus: +1 800 631 268
UK: 0800 028 6590
CN: +86 400 660 8680

Direct Inward Dialing: +1 408 916 9892

 

How to audit process tracking

Start your free trial

An IT administrator in any organization is responsible for tracking user activity and ensuring there are no insider threats. To carry out these responsibilities, they must monitor what applications or software an employee accesses on their workstation; if this isn't tracked, an employee could intentionally or unintentionally run any sort of malware, leading not only to device compromise, but also potentially put the entire enterprise network in danger. In an Active Directory (AD) environment, this tracking is referred to as auditing process tracking. Read on to find out how to audit process tracking.

Steps to enable auditing using the Group Policy Management Console (GPMC):

Perform the following actions on the domain controller (DC):

  1. Press Start, search for, and open the Group Policy Management Console or run the command gpmc.msc.
How to audit process tracking
  1. Right-click the domain or organizational unit (OU) that you want to audit, and click Create a GPO in this domain, and Link it here. If you have already created a Group Policy Object (GPO), go to step 4.
How to detect who unlocked a user account
  1. Name the GPO as appropriate.
  2. Right-click the GPO and choose Edit.
How to detect who unlocked a user account
  1. In the Group Policy Management Editor, in the left pane, navigate to Computer Configuration → Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Audit Policies → Detailed Tracking.
How to detect who unlocked a user account
  1. In the right pane, you will see a list of policies that are under Detailed Tracking. Double-click Audit Process Creation and check the boxes labeled Configure the following audit events, Success, and Failure. Perform the same actions for Audit Process Termination.
How to detect who unlocked a user account
  1. Click Apply, then OK.
  2. Go back to the Group Policy Management Console, and in the left pane, right-click the desired OU in which the GPO was linked and click Group Policy Update. This step makes sure the new Group Policy settings are applied instantly instead of waiting for the next scheduled refresh.
How to detect who unlocked a user account

Once this policy is enabled, events are logged in the DC's security log whenever a process has been created or has exited.

Steps to view these events using the Event Viewer:

Once the above steps are complete, events will be stored in the event log. This can be viewed in the Event Viewer by following the steps below:

  1. Press Start, search for Event Viewer, and click to open it.
  2. In the Event Viewer window, in the left pane, navigate to Windows Logs → Security.
  3. Here, you will find a list of all the security events that are logged in the system.
How to detect who unlocked a user account
  1. In the right pane, under Security, click Filter Current Log.
How to detect who unlocked a user account
  1. In the pop-up window, enter the desired Event ID* in the field labeled <All Event IDs>.

*The following Event IDs are generated for the given events:

Event ID Subcategory Event Type Description
4688 Audit Process Creation Success A new process has been created.
4696 Audit Process Creation Success A primary token was assigned to process.
4689 Audit Process Termination Success A process has exited.
  1. Click OK. This will provide a list of occurrences of the entered Event ID.
  2. Double-click the Event ID to view its properties (description).
How to detect who unlocked a user account

Event 4688 is logged when a process is created. The following details are logged in the event properties:

  • Name and SID of the account that requested the "create process" operation
  • Process ID, full path, and name of the new process created

The above method is unrealistic when you have to deal with thousands of devices in an organization, as an administrator would have to manually look up each event to view its details.

ADAudit Plus, a comprehensive AD auditing tool, enables admins to effortlessly audit process creation and termination events. They can also keep track of all scheduled task creation, deletion, and modifications made to them with ease.

Steps to audit process tracking using ManageEngine ADAudit Plus

  1. Download and install ADAudit Plus.
  2. Find the steps to configure auditing on your domain controller here.
  3. Open the console and log in as administrator.
  4. Navigate to Server Audit → Process Tracking → New Process Created
How to detect who unlocked a user account

You can also keep track of process termination. Navigate to Server Audit → Process Tracking → New Process Exited.

Advantages of using ADAudit Plus over native auditing:

  • Get instant, informative reports on process creation and termination instead of manually searching for an Event ID.
  • Monitor all programs that are executed, and discover who started the process, which computer the program was launched on, the time the process was started, and much more.
  • Track in detail all scheduled tasks set by users in your organization.
  • Get curated reports for all changes made to your Active Directory in one centralized platform.
  • More easily satisfy compliance regulations including SOX, HIPAA, GLBA, PCI-DSS, FISMA, and GDPR.
 

ADAudit Plus Trusted By