Big savings, Better ROI! Exclusive discounts on ManageEngine Products!* Boost your business *T&C apply

Home

Related Products
ADManager Plus

Active Directory Management & Reporting
Download | Demo
ADSelfService Plus

Self-Service Password Management
Download | Demo
EventLog Analyzer

Real-time Log Analysis & Reporting
Download | Demo
Exchange Reporter Plus

Exchange Server Auditing & Reporting
Download | Demo
AD360

Integrated Identity & Access Management
Download | Demo
Log360

Comprehensive SIEM and UEBA
Download | Demo

Click here to expand

Configuring object level auditing - Manual configuration

Object level auditing must be configured to ensure that events are logged whenever any Active Directory object related activity occurs.

Configuring auditing for OU, GPO, user, group, computer, and contact objects

Click on View and ensure that Advanced Features is enabled. This will display the advanced security settings for selected objects in Active Directory Users and Computers.

Right click on domain → Properties → Security → Advanced → Auditing → Add.
In the Auditing Entry window → Select a principal: Everyone → Type: Success → Select the appropriate permissions, as directed in the table below.

Note: Use Clear all to remove all permissions and properties before selecting the appropriate permissions.

Auditing Entry number	Auditing Entry for	Access	Apply onto
Auditing Entry number	Auditing Entry for	Access	Windows Server 2003	Windows Server 2008 and above
1&2	OU	Create Organizational Unit objects Delete Organizational Unit objects	This object and all child objects	This object and all descendant objects
1&2	OU	Write All Properties Delete Modify Permissions	Organizational Unit objects	Descendant Organizational Unit objects
3&4	GPO	Create groupPolicyContainer Objects Delete groupPolicyContainer Objects	This object and all child objects	This object and all descendant objects
3&4	GPO	Write All Properties Delete Modify Permissions	groupPolicyContainer objects	Descendant groupPolicyContainer objects
5&6	User	Create User Objects Delete User Objects	This object and all child objects	This object and all descendant objects
5&6	User	Write All Properties Delete Modify Permissions All Extended Rights	User objects	Descendant User objects
7&8	Group	Create Group Objects Delete Group Objects	This object and all child objects	This object and all descendant objects
7&8	Group	Write All Properties Delete Modify Permissions All Extended Rights	Group objects	Descendant Group objects
9& 10	Computer	Create Computer Objects Delete Computer Objects	This object and all child objects	This object and all descendant objects
9& 10	Computer	Write All Properties Delete Modify Permissions All Extended Rights	Computer objects	Descendant Computer objects
11&12	Contact	Create Contact Objects Delete Contact Objects	This object and all child objects	This object and all descendant objects
11&12	Contact	Write All Properties Delete Modify Permissions	Contact objects	Descendant Computer objects

Image displaying: Auditing Entry number 1.

Note: All 12 Auditing Entries must be enabled.

To audit container objects

Log in to any computer that has the Active Directory Service Interfaces snap-in → Open the ADSI Edit console → Right click on ADSI Edit → Connect to.
In the Connection Settings window → Under Select a Well-Known Naming Context → Select 'Default Naming Context'.
Navigate to the left panel → Click on Default naming context → Right click on domains distinguished name → Select properties → Security → Advanced → Auditing → Add.
In the Auditing Entry window → Select a principal: Everyone → Type: Success → Select the appropriate permissions, as directed in the table below.

Note: Use Clear all to remove all permissions and properties before selecting the appropriate permissions.

Auditing Entry	Access	Apply onto
Auditing Entry	Access	Windows Server 2003	Windows Server 2008 and above
Container	Write All Properties Delete Modify Permissions	Container objects	Descendant Container objects

Configuring auditing for password setting objects

Log in to any computer that has the Active Directory Service Interfaces snap-in → Open the ADSI Edit console → Right click on ADSI Edit → Connect to.
In the Connection Settings window → Under Select a Well-Known Naming Context → Select 'Default Naming Context'.
Navigate to the left panel → Click on Default naming context → Expand the domain → Expand the System container → Right click on the Password Settings Container → Properties → Security → Advanced → Auditing → Add.
In the Auditing Entry window → Select a principal: Everyone → Type: Success → Select the appropriate permissions, as directed in the table below.

Note: Use Clear all to remove all permissions and properties before selecting the appropriate permissions.

Auditing Entry number	Auditing Entry for	Access	Apply onto
Auditing Entry number	Auditing Entry for	Access	Windows Server 2003	Windows Server 2008 and above
1&2	Password Settings Container	Create msDS-PasswordSettings objects Delete msDS-PasswordSetting objects	Not Applicable	This object and all descendant objects
1&2	Password Settings Container	Write All Propertie Delete Modify Permissions	Not Applicable	Descendant msDS-PasswordSettings objects

Image showing: Auditing Entry number 1.

Note: Both Auditing Entries must be enabled.

Configuring auditing for configuration objects

Log in to any computer that has the Active Directory Service Interfaces snap-in → Open the ADSI Edit console → Right click on ADSI Edit →Connect to.
In the Connection Settings window → Under Select a Well-Known Naming Context → Select Configuration.
Navigate to the left panel → Click on Configuration → Right click on Configuration naming context → Select properties → Security → Advanced → Auditing → Add.
In the Auditing Entry window → Select a principal: Everyone → Type: Success → Select the appropriate permissions, as directed in the table below.

Note: Use Clear all to remove all permissions and properties before selecting the appropriate permissions.

Auditing Entry for	Access	Apply onto
Auditing Entry for	Access	Windows Server 2003	Windows Server 2008 and above
Configuration	Create All Child objects Write All Properties Delete All child objects Delete Modify Permissions All Extended Rights	This object and all child objects	This object and all

Configuring auditing for schema objects

Log in to any computer that has the Active Directory Service Interfaces snap-in → Open the ADSI Edit console → Right click on ADSI Edit → Connect to.
In the Connection Settings window → Under Select a Well-Known Naming Context → Select Schema
Navigate to the left panel → Click on Schema → Right click on Schema naming context → Select properties → Security → Advanced → Auditing → Add.
In the Auditing Entry window → Select a principal: Everyone → OK → Type: Success → Select the appropriate permissions, as directed in the table below.

Note: Use Clear all to remove all permissions and properties before selecting the appropriate permissions.

Auditing Entry for	Access	Apply onto
Auditing Entry for	Access	Windows Server 2003	Windows Server 2008 and above
Schema	Create All Child objects Write All Properties Delete All child objects Delete Modify Permissions All Extended Rights	This object and all child objects	This object and all descendant objects

Configuring auditing for DNS objects

Log in to any computer that has the Active Directory Service Interfaces snap-in → Open the ADSI Edit console → OK → Right click on ADSI Edit → Connect to.
In the Connection Settings window → Under Select or type a Distinguished Name or Naming Context → Type the distinguished name, as per your domain name and the partition where the zone is stored.
- Type DC=adap, DC=internal,DC=com as the Distinguished Name. (This partition is generally loaded in Adsiedit by default)
- Type DC=DomainDNSZones,DC=adap,DC=internal,DC=com as the Distinguished Name.
- Type DC=ForestDNSZones,DC=adap,DC=internal,DC=com as the Distinguished Name.
Navigate to the left panel → Click on Default naming context → Right click on MicrosoftDNS→ Select properties → Security → Advanced → Auditing → Add.
iv. In the Auditing Entry window → Select a principal → Everyone → OK → Type: Success → Select the appropriate permissions, as directed in the table below.

Note: Use Clear all to remove all permissions and properties before selecting the appropriate permissions.

Auditing Entry number	Auditing Entries for	Access	Apply onto
Auditing Entry number	Auditing Entries for	Access	Windows Server 2003	Windows Server 2008 and above
1&2	DNS Zones	Create DNS Zones objects Delete DNS Zones objects	This object and all child objects	This object and all descendant objects
1&2	DNS Zones	Write All Properties Delete Modify Permissions	DNS Zone objects	Descendant DNS Zone objects
3&4	DNS Nodes	Create DNS Nodes objects Delete DNS Nodes objects	This object and all child objects	Descendant DNS Zone objects
3&4	DNS Nodes	Write All Properties Delete Modify Permissions	DNS Node objects	Descendant DNS Node objects

Note:Repeat steps iii. and iv. for the remaining 2 default naming contexts.

Don't see what you're looking for?

Visit our community

Post your questions in the forum.
Request additional resources

Send us your requirements.
Need implementation assistance?

Try onboarding

Help Document

Configuring object level auditing - Manual configuration

Configuring auditing for OU, GPO, user, group, computer, and contact objects

To audit container objects

Configuring auditing for password setting objects

Configuring auditing for configuration objects

Configuring auditing for schema objects

Configuring auditing for DNS objects

Don't see what you're looking for?

Visit our community

Request additional resources

Need implementation assistance?

On this page