Direct Inward Dialing: +1 408 916 9892
Once ADAudit Plus has been installed, it automatically configures audit policies required for Active Directory auditing.
To enable automatic configuration: Log in to the ADAudit Plusweb console → Domain Settings → Audit Policy: Configure.
Changes in FSMO roles can be identified by following the below mentioned steps:
[Highlight reports, domain, configuration auditing, fsmo role changes]
ADAudit Plus enables IT administrators to have a comprehensive picture of all the activities that happen within an organization's network. The real-time monitoring and out-of-the-box reports generated by ADAudit Plus makes it easier to track critical FSMO role changes, and detect and prevent mishaps.
With native AD auditing, here is how you can monitor FSMO role changes:
Launch Server Manager in your Windows Server instance.
Under Manage, select Group Policy Management and launch the Group Policy Management console.
Navigate to Forest ➔ Domain ➔ Your domain ➔ Domain Controllers.
Create a new GPO and link it to the domain containing the computer object, or edit any existing GPO that is linked to the domain to open the Group Policy Management Editor.
Navigate to Computer Configuration ➔ Windows Settings ➔ Security Settings ➔ Advanced Audit Policy Configuration ➔ System Audit Policies ➔ DS Access
Under DS Access, turn auditing on for Success and failure events of the following policies:
[Highlight advance audit policy configuration, system audit policies, DS access, Audit Detailed Directory Service Replication, AD service access, AD service changes, Audit Directory Service Replication]
From your Server Manager go to Tools and select ADSI Edit.
Right click ADSI Edit node from the left pane and select Connect to option. This pulls up the Connection Settings window.
Select the Default Naming Context option from the Select a well-known Naming Context drop down list.
Click OK and return to the ADSI Edit window. Expand Default Naming Context and select the associated DC subnode. Right-click this subnode and click Properties.
In the Properties window, go to the Security tab and select Advanced. After that select Auditing tab and click Add.
Click on Select a principal.This will bring up a Select User, Computer or Group Window.
Type Everyone in the textbox and verify it with Check Names.
The principal field in the Auditing Entry window now shows Everyone.
In the Type drop-down select All to audit for both success and failure events.
In the Select drop-down choose This object and all descendant object's. This allows the auditing of the OU's descendant objects.
Select Full Controlin the Permissions section.
Click Apply, then OK, and close the console.
In Event Viewer window, go to Windows Logs ➔ Security logs.
Click on Filter current logunder Actionin the right panel.
Search for Event ID 4658 that identifies password changes in FSMO roles.
You can double-click on the event to view Event Properties.
[Highlight Windows logs, security, filter current log, 1458]
These steps need to be repeated each time a change in FSMO roles needs to be audited. Manually checking every event is time-consuming, inefficient and practically impossible for large organizations.
Native auditing becoming a little too much?
Simplify Active Directory auditing and reporting with ADAudit Plus.
Get Your Free Trial Fully functional 30-day trialADAudit Plus simplifies FSMO roles history tracking by offering predefined FSMO Role Changes report along with intuitive graphical representation of the same for the ease of comprehension. ADAudit Plus also provides you the option to generate custom reports and export them in your preferred format (PDF, XLS, HTML, and CSV).
