With native AD auditing, here is how you can monitor domain functional level changes in Active Directory:

• Step 1: Enable 'Audit logon events' policy

• Launch 'Server Manager' in your Windows Server instance.

• Under Manage, select 'Group Policy Management' and launch the Group Policy Management console.

• Navigate to 'Forest' --> 'Domain' --> 'Your domain' --> 'Domain Controllers'.

• Create a new GPO and link it to the domain containing the computer object, or edit any existing GPO that is linked to the domain to open the 'Group Policy Management Editor'.

• Navigate to 'Computer Configuration' ➔ 'Windows Settings' ➔ 'Security Settings' ➔ 'Advanced Audit Policy Configuration' ➔ 'System Audit Policies' ➔ 'DS Access'

• Under DS Access, turn auditing on for Success and failure events of the following policies:

  1. Audit account logon events

  2. Audit account management

  3. Audit policy changes

  

• In the GPMC, choose the modified GPO, and click 'Add' in the 'Security' section on the right pane.

• Type 'everyone' in the text box to apply the modified GPO to all the objects, click 'Check Names' to confirm the same.

• Press 'OK' and Exit GPMC.

• To enforce these changes throughout the domain, run the command 'gpupdate /force', in the "Run" console.

• Step 2: Allow AD Auditing through ADSI Edit

• From your 'Server Manager' go to 'Tools' and select 'ADSI Edit'.

• Right click 'ADSI Edit' node from the left pane and select 'Connect to' option. This pulls up the 'Connection Settings' window.

• Select the 'Default Naming Context' option from the 'Select a well-known Naming Context' drop down list.

  

• Click 'Okay' and return to the ADSI Edit window. Expand 'Default Naming Context' and select the associated 'DC' subnode. Right-click this subnode and click 'Properties'.

• In the 'Properties' window, go to the 'Security' tab and select 'Advanced'. After that select 'Auditing' tab and click 'Add'.

  

• Click on Select a principal. This will bring up a Select User, Computer or Group Window.

• Type Everyone in the textbox and verify it with Check Names.

• The principal field in the Auditing Entry window now shows Everyone.

• In the Type drop-down select All to audit for both success and failure events.

• In the Select drop-down choose This object and all descendant object's. This allows the auditing of the OU's descendant objects.

• Select Full Control in the Permissions section.

• This selects all the checkboxes available. Unselect the following check boxes:

  1. 'Full Control'

  2. 'List Contents'

  3. 'Read all properties'

  4. 'Read permissions'

• Click 'Apply', 'OK' and close the console.

• Step 3: View events in Event Viewer

• In Event Viewer window, go to Windows Logs ➔ Security logs.

• Click on Filter current log under Action in the right panel.

• Search for Event ID 4739 that identifies domain functional level changes.

• You can double-click on the event to view Event Properties.

  

• These steps need to be repeated for all the domains to policy changes. Manually checking every event is time-consuming, inefficient and practically impossible for large organizations.