Big savings, Better ROI! Exclusive discounts on ManageEngine Products!* Boost your business *T&C apply
    Click here to shrink
    Click here to expand Click here to expand

    Configure AD CS auditing

    Add AD CS servers in ADAudit Plus

    To enable AD CS auditing, you need to configure the computer on which AD CS is installed in the ADAudit Plus console.

    • If you have installed AD CS on a domain controller, configure the Active Directory domain and the domain controller in ADAudit Plus. Click here to see how.
    • If you have installed AD CS on a Windows server, configure the Windows server in ADAudit Plus. Click here to see how.

    Configure audit policies

    For AD CS auditing, you can configure the required audit policies either automatically or manually in ADAudit Plus.

    Automatic configuration

    To configure the audit policies automatically, follow the steps below:

    Manual configuration

    When configuring the audit policies manually, you can configure either the advanced audit policies or the legacy audit policies for AD CS auditing.

    To configure advanced audit policies:

    • Log in to any computer that has the Group Policy Management Console (GPMC) with Domain Admin credentials.
    • Open the GPMC, and based on your setup, you'll either right-click Default Domain Controllers Policy or ADAuditPlusMSPolicy, then select Edit.

      Note: If AD CS has been installed on a domain controller, configure the audit policy in the Default Domain Controllers Policy GPO. If AD CS has been installed on a Windows server, configure the audit policy in the ADAuditPlusMSPolicy GPO.

    • In the Group Policy Management Editor, go to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies.
    • Double-click Object Access.
    • Right-click Audit Certification Services in the right pane. Select Properties, then check the boxes next to Success and Failure.

      Configure AD CS auditing

    To force advanced audit policies

    After configuring the advanced audit policies, ensure that they are forced over legacy audit policies.

    • Log in to any computer that has the GPMC with Domain Admin credentials.
    • Open the GPMC, and based on your setup, you'll either right-click Default Domain Controllers Policy or ADAuditPlusMSPolicy, then select Edit.

      Note: If AD CS has been installed on a domain controller, configure the audit policy in the Default Domain Controllers Policy GPO. If AD CS has been installed on a Windows server, configure the audit policy in the ADAuditPlusMSPolicy GPO.

    • In the Group Policy Management Editor, go to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options.
    • Right-click Audit: Force audit policy subcategory settings from the right pane, select Properties, and then choose Enabled.

      Configure AD CS auditing

    To configure legacy audit policies:

    • Log in to any computer that has the GPMC with Domain Admin credentials.
    • Open the GPMC, and based on your setup, you'll either right-click Default Domain Controllers Policy or ADAuditPlusMSPolicy, then select Edit.

      Note: If AD CS has been installed on a domain controller, configure the audit policy in the Default Domain Controllers Policy GPO. If AD CS has been installed on a Windows server, configure audit policy in the ADAuditPlusMSPolicy GPO.

    • In the Group Policy Management Editor, go to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies.
    • Double-click Audit Policy.
    • Right-click the Object Access policy in the right pane. Select Properties, then check the boxes next to Success and Failure.

      Configure AD CS auditing

    Enable auditing on AD CS servers

    Configure CA auditing

    • Log in to the AD CS server with Domain Admin credentials.
    • Open the Certificate Authority management console, right-click the CA, and select Properties.
    • Select the Auditing tab from the Properties window and check the boxes next to the categories listed below:
      • Change CA configuration
      • Change CA security settings
      • Issue and manage certificate requests
      • Revoke certificates and publish CRLs
      • Store and retrieve archived keys

    Configure AD CS auditing

    Monitoring changes to certificate templates

    Changes made to certificate templates issued by Enterprise CAs can be audited with ADAudit Plus by updating the registry. To enable certificate template auditing, open the Command Prompt as an administrator and execute the following command:

    certutil –setreg policy\EditFlags +EDITF_AUDITCERTTEMPLATELOAD

    Don't see what you're looking for?

    •  

      Visit our community

      Post your questions in the forum.

       
    •  

      Request additional resources

      Send us your requirements.

       
    •  

      Need implementation assistance?

      Try onboarding

       

    On this page

    Get download link