What is AuditPol?

AuditPol (Audit Policy Program or auditpol.exe) is a command-line tool used to view the existing audit policies of a user or computer, and is located in the System32 folder. Additionally, it is used to manage, query and configure audit policy settings at the subcategory level. There are numerous auditing subcategories that provide accurate details about activities on a computer. The audit policy settings are categorized and subcategorized in the following way:

CATEGORY	SUBCATEGORIES
1. Account Logon	Audit Credential Validation Audit Kerberos Authentication Service Audit Kerberos Service Ticket Operations Audit Other Account Logon Events
2. Account Management	Audit Application Group Management Audit Computer Account Management Audit Distribution Group Management Audit Other Account Management Events Audit Security Group Management Audit User Account Management
3. Detailed tracking	Audit DPAPI Activity Audit Process Creation Audit Process Termination Audit RPC Events
4. DS Access	Audit Detailed Directory Service Replication Audit Directory Service Access Audit Directory Service Changes Audit Directory Service Replication
5. Logon/Logoff	Audit Account Lockout Audit IPsec Extended Mode Audit IPsec Main Mode Audit IPsec Quick Mode Audit Logoff Audit Logon Audit Network Policy Server Audit Other Logon/Logoff Events Audit Special Logon
6. Object Access	Audit Application Generated Audit Certification Services Audit Detailed File Share Audit File Share Audit File System Audit Filtering Platform Connection Audit Filtering Platform Packet Drop Audit Handle Manipulation Audit Kernel Object Audit Other Object Access Events Audit Registry Audit SAM
7. Policy Change	Audit Audit Policy Change Audit Authentication Policy Change Audit Authorization Policy Change Audit Filtering Platform Policy Change Audit MPSSVC Rule-Level Policy Change Audit Other Policy Change Events
8. Privilege Use	Audit Non-Sensitive Privilege Use Audit Sensitive Privilege Use Audit Other Privilege Use Events
9. System	Audit IPsec Driver Audit Other System Events Audit Security State Change Audit Security System Extension Audit System Integrity
10. Global Object Access Auditing	File System (Global Object Access Auditing) Registry (Global Object Access Auditing)

Using AuditPol, the following actions can be carried out:

A system audit policy can be set and queried. This policy governs the type of system information that one will find in the security logs. The event ID to look for is 4719.
A per-user audit policy can be set and queried. Windows logs the event to document the user for whom the audit policy was set. The event ID to look for is 4912.
Auditing options can be set and queried.
The security descriptor used for delegating access to an audit policy can be set and queried. The event ID to look for is 4715.
Reports or back ups on audit policies can be generated in a CSV text file. The system audit policies, per-user audit policy settings for all the users, and all auditing options are backed up to CSV files.
Audit policies can be loaded from CSV text files.
Global resource SACLs can be configured. Global resource SACLs settings allows admins to define a computer's SACLs per object type for the file system or Windows registry. The event ID to look for is 4663.

How to run AuditPol

In Command Prompt, run the following cmdlet as an administrator to view the existing auditing settings:

auditpol /get /category:*

Alternatively, to see the current audit settings and configure new settings, you can do the following from your domain controller running the Windows Server OS:

Access Server Manager
Navigate to Tools -> Group Policy Management
Go to Domains -> Your domain -> Domain Controllers -> Default Domain Controller Policy
Right click on Default Domain Controller Policy, and click on edit
Navigate to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Audit Policy

How to track Audit Policy changes with ADAudit Plus

Log on to the web console of ADAudit Plus.
Navigate to Reports -> GPO Setting changes.
Select the report of your choice, and see information about changes made to the Group Policy settings, computer configuration, password policy, and more.

For example, the screenshot below from ADAudit Plus shows a sample report on changes made to Group Policy Object Settings:

On clicking Show Details,

In this report, you can obtain the following information:

Which GPO setting was modified?
Who modified the GPO settings?
When were the GPO settings modified?
What were the exact changes made to the GPO settings?

The ADAudit Plus difference

Download ManageEngine's ADAudit Plus, a real-time Active Directory auditing tool, that offers reports and instant email alerts. It is a useful tool to understand employee behavior with regards to IT, and thwart insider and outsider attacks. It can also be used to keep track of all changes to GPO settings and audit policies.