Scribd Logo
Upload

Welcome to Scribd!

  • Active Directory Auditing Quick Reference Guide PDF

    Uploaded by

    Manju Devaraj
    48 views1 page

    Original Title

    Active_Directory_Auditing_Quick_Reference_Guide.pdf

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    48 views1 page

    Active Directory Auditing Quick Reference Guide PDF

    Uploaded by

    Manju Devaraj

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 1

    Quick Reference Guide

    Active Directory Auditing


    This quick reference guide shows how to enable logging of important changes in your
    Active Directory and view them via Event Viewer.

    Audit Policy Settings


    Run GPMC.msc (url2open.com/gpmc) > create a new policy and link
    this GPO to an organizational unit (OU) that contains the domain in
    which youd like to track changes. Once the GPO is created you must
    Event ID Reference
    go into Computer Configuration > Policies > Windows Settings > 1102 Security log cleared
    Security Settings > Local Policies > Audit Policy:
    4624 Login succeeded
    Audit account management > Define > Success
    Audit directory service access > Define > Success 4625, 4771 Failed login

    Audit account logon events > Define > Success and Failure 4625, 4771 (Failure code 0x17)
    Audit logon events > Define > Success and Failure Password expired
    4720 User account created

    Object-level Active Directory Auditing 4722 User account enabled

    4724 Password reset attempt


    Open ADSI Edit (url2open.com/adsi) > Connect to Default naming 4725 User account disabled
    context > Right-click DomainDNS object with the name of your domain
    > Properties > Security (Tab) > Advanced (Button) > Auditing (Tab): 4726 User account deleted
    Add Principal Everyone 4727, 4731, 4754 , 4759, 4744, 4749
    Type Success Group created
    Applies to This object and Descendant objects
    4728, 4732, 4756 , 4761, 4746, 4751
    Permissions > Select all check boxes except the following: Full Control,
    Member added to a group
    List Contents, Read all properties, Read permissions > Click OK
    4729, 4733, 4757, 4762, 4747, 4752
    Member removed from a group
    Security Event Log Settings 4730, 4734, 4758, 4748, 4753, 4763
    Group deleted
    Run GPMC.msc > open Default Domain Policy > Computer
    Configuration > Policies > Windows Settings > Security Settings > Event 4740 User account locked out
    Log > Define 4743 Computer deleted
    Maximum security log size to 4GB
    4764 Group type changed
    Retention method for security log to Overwrite events as needed
    Open Event viewer and search Security log for event ids listed in the 4767 User account unlocked
    Event ID Reference box

    Gain #completevisibility into what's happening in your Active Directory


    environment with Netwrix Auditor for Active Directory:
    netwrix.com/go/trial-ad

    Corporate Headquarters: Toll-free: 888-638-9749 Int'l: 1-949-407-5125


    300 Spectrum Center Drive, Suite 1100, EMEA: 44 (0) 203-318-0261 netwrix.com/social
    Irvine, CA 92618

    You might also like