Steps to enable auditing using the Group Policy Management Console (GPMC)

Perform the following actions on the domain controller (DC):

1. Press Start, search for and open the Group Policy Management Console, or run the command gpmc.msc.

2. Right-click the domain or organizational unit (OU) that you want to audit, and click Create a GPO in this domain, and Link it here... If you have already created a Group Policy Object (GPO), go to step 4.

3. Name the GPO.
4. Right-click the GPO, and choose Edit.

5. In the left pane of the Group Policy Management Editor, navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Audit Policy.

6. In the right pane, double-click Audit account logon events, and check the boxes next to Define these policy settings, Success, and Failure.

7. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Account Logon.

8. In the right pane, double-click Audit Credential Validation, and check the boxes next to Configure the following audit events, Success, and Failure.

9. Click Apply, then OK.
10. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Account Management > Audit User Account Management,and check the boxes next to Configure the following audit events, Success, and Failure.

11. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Account Management > Audit Computer Account Management,and check the boxes next to Configure the following audit events, Success,and Failure.

12. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > DS Access > Audit Directory Service Changes, and check the boxes next to Configure the following audit events, Success, and Failure.

13. Go back to the Group Policy Management Console,and in the left pane, right-click the desired OU in which the GPO was linked, and click Group Policy Update... This step makes sure the new Group Policy settings are applied instantly instead of waiting for the next scheduled refresh.

Steps to view these events using Event Viewer

Once the above steps are complete, events will be stored in the event log. These can be viewed in Event Viewer. However, before that, you need to figure out which users have administrator privileges. Perform the following actions on a domain controller (DC):

1. Press Start, then search for and open the Active Directory Users and Computers console.

2. Navigate to the organizational unit,<Domain name>Domain name > Users, and double-click the group labeled Domain Admins.Switch to the members tab. Here you will find a list of users with admin rights.

3. Press Start,search for Event Viewer, and click on it to open it.
4. In the left pane, right click Custom Views,and select Create Custom View....

5. In the Create Custom View window, switch to the XML tab,check the box next to Edit Query Manually,and click Yes in the pop-up warning dialog box.
6. In the query field, enter the following query:
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">
*[EventData[Data[@Name='SubjectUserName'] and(Data='<username>')]]
</Select>
</Query>
</QueryList>


*replace <username> with the desired administrator username.


7. Click OK,and name the Custom View. Now you can see a list of Event IDs related to actions performed by the administrator account under Custom Views.

The above method is unrealistic when you have to deal with numerous administrators and thousands of events. As an administrator, you would have to manually look up each event to view its details.

ADAudit Plus, a comprehensive AD auditing tool, helps you audit all changes to your Active Directory, including those performed by administrator accounts.