Support
 
Phone Get Quote
 
Support
 
US: +1 888 720 9500
US: +1 888 791 1189
Intl: +1 925 924 9500
Aus: +1 800 631 268
UK: 0800 028 6590
CN: +86 400 660 8680

Direct Inward Dialing: +1 408 916 9892

Get Quote

 
  

Audit Authorization Policy Change is an advanced audit policy setting, which, if enabled, can audit and record events for the assignment and removal of user rights, the modifications made to the Central Access Policy (CAP) of an object, and a few other events related to authorization. User rights assignment policies dictate whether or not a user can login to a system, the way they can login, and the permissions they have over the resources on a system. The CAP is a centrally managed authorization system for the whole network.

Audit Authorization Policy change is different from Audit Authentication Policy Change, which involves auditing changes to user logon rights, domain policies, and so on. The key difference is that Audit Authorization Policy Change monitors the changes in users' access of network resources, while Audit Authentication Policy Change monitors the changes in users' authentication rights and rules.

Why should you enable Audit Authorization Policy Change?

Audit Authorization Policy Change involves changes made to authorization rules which are enabled to limit and regulate the number of users who access the sensitive data on the network. Therefore, assigning certain user rights or removing them are important security events. While these could be a routine upgrading or downgrading of permissions, it could also potentially be an insider trying to elevate their permissions to access sensitive data.

How to enable Audit Authorization Policy Change?

  • Open Server Manager on your Windows server.
  • Under the Manage tab, select Group Policy Management to view the Group Policy Management Console.
  • Navigate to Forest > Domain > Your Domain > Domain Controllers.
  • Either create a new group policy object or you can edit an existing GPO.
  • In the group policy editor, navigate to Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration.
  • Expand the node and select Policy Change. Click on Audit Authorization Policy Change and enable it for 'Success' and 'Failure'.
Audit Authorization Policy Change
  • 4703: A user right was adjusted.
  • 4704: A user right was assigned.
  • 4705: A user right was removed.
  • 4670: Permissions on an object were changed.
  • 4911: Resource attributes of the object were changed.
  • 4913: Central Access Policy on the object was changed.

Audit Authorization Policy Change with ADAudit Plus

ADAudit Plus is an auditing tool that can audit and generate reports on the various entities such as servers, workstations as well as group policy changes, permission changes and so on. This change reporting tool can instantaneously generate over 200 audit reports that are comprehensive and easy to understand. Here is a sample report from ADAudit Plus on User Rights Assigned:

This report gives information on accounts which were assigned new rights, the timestamp, name of the domain controller, and so on. This report can help an administrator survey the user rights that have been assigned to check if there are any unauthorized assignments. This report can be accessed on ADAudit Plus by navigating to Server Audit > Policy Changes > User Rights Assigned.

About ADAudit Plus

ADAudit Plus is a real-time, web-based Windows Active Directory change reporting software that audits, tracks, reports and alerts on Windows (Active Directory, workstations logon/logoff, file servers and servers), NetApp filers and EMC servers to help meet the demands of the much-needed security, audit and compliance, including FISMA compliance. With ADAudit Plus, track authorized/unauthorized AD management changes, access of users, GPO setting changes, groups, computer, OU. Track every file, folder modifications, access and permissions changes with 200+ detailed event-specific reports and get instant emails alerts. You can also export the results to XLS, HTML, PDF and CSV formats to assist in interpretation and computer forensics. For more information on ADAudit Plus, visit https://www.manageengine.com/active-directory-audit/.

More related links

     

Native auditing becoming a little too much?

Try ADAudit Plus login monitoring tool to audit, track, and respond to malicious login and logoff actions instantaneously.

Try ADAudit Plus for free

 

ADAudit Plus Trusted By