Step 1: Configure DS Objects

Follow the steps given below to enable Directory Service Objects auditing:

Go to Start Menu -> Administrative Tools.

Open “Group Policy Management Console”.

Go to Forest -> Domains -> Domain Controllers.

Next, right-click on the “Default Domain Controllers Policy”. From the context menu, click on “Edit” to open the “Group Policy Management Editor” window.

Go to “Computer Configuration” -> “Policies” -> “Windows Settings” -> “Security Settings” -> “Advanced Audit Policy Configuration” -> “Audit Policies” in the editor window.

In the “Audit Policies”, click on “DS Access”. The following policies will be displayed:

1. Audit Directory Service Access

2. Audit Directory Service Changes

3. Audit Directory Service Replication

4. Audit Detailed Directory Service Replication

Double-click on each of these policies and enable both “Success” and “Failure” auditing as shown in the figure below.

Step 2: Configure AD auditing through ADSI Edit

Follow the steps given below to allow Active Directory auditing through ADSI edit:

Open "ADSI Edit" window.

Right-click the root “ADSI Edit” on the left pane and select “Connect to” option from the context menu. Connect to the current domain controller (DC), which appears with “Default Naming Context”.

Click “OK” to connect.

In the left panel, a tree will appear. Double click on the node of “Default naming Context” and go to “DC=www,DC=domain,DC=com” -> “CN=System” -> “CN=Policies”.

Right click on the “CN=Policies” and navigate to "Properties".

Go to “Security” tab and click on “Advanced” button to access its Advanced Security Settings.

Navigate to “Auditing” tab in the Advanced Security Settings.

Add the user for whom the auditing has to be enabled. The following window appears.

Enter the name of the user for which you want to enable the auditing. To audit all the users' changes, type “Everyone”.

Click “Check Names” to confirm the username.

Click on “OK” to add the user. “Auditing Entry for Policies” dialog box appears.

Choose the entries for which the user’s action will be audited. Select “Full Control” for auditing both “successful” and “failed” events.

Select the “Apply these auditing entries to objects and/or containers within this container only” checkbox to apply the changes to the child objects as well.

Click on “OK” to apply these auditing entries. “Auditing” tab of Advanced Security Settings will appear. Click “Apply” and “OK” to apply the auditing settings.

Step 3: Viewing events

In “Event Viewer” window, click “Windows Logs” and choose “Security” logs.

Click “Filter current log” under “Action” in the right panel.

Search for Event ID 5136 that shows permission changes in Active Directory.

Double-click any specific event to view its “Event Properties”.