Fellow, auditing the event – the event in an Active Directory domain controller is often done through the use of group Policy by modifying the Default Domain Controllers Policy and then conduct an audit activation settings are configured so that will be consistent across the domain controller.
As we have seen, a number of categories come up through the audit in group Policy. Each category has a good ability in terms of audit events, successful or failed. Categories and event types that the switch (on-enable) can be selected based on need and will appear in the Windows Security Event Log. There are 9 categories as follows:
- Audit account logon events—This category generates an event when a user attempts to login or log out of a computer using a domain account.
- Audit account management—This category audits the creation, change, renaming, or deletion of user accounts or groups. It also audits the setting or change of a password.
- Audit directory service access—This category audits the attempt by users to access AD objects. Individual AD objects to be monitored must have their System Access Control List (SACL) configured to be monitored.
- Audit logon events—This category generates an event when a user attempts to login or log out of a computer using a local computer account.
- Audit object access—This category audits the attempt by a user to access an object, such as files, folders, registry keys, or printers, among others. Individual AD objects to be monitored must have their SACL configured to be monitored.
- Audit policy change—This category generates an event when a user attempts to change a user rights assignment policy, audit policy, or trust policy.
- Audit privilege use—This category audits the attempt by users to exercise the use of their assigned user rights.
Audit process tracking—This category audits highly detailed tracking information about program activation, process exit, handle duplication, and indirect object access. This level of auditing is often employed by developers and during deep troubleshooting. - Audit system events—This category generates an event when a user restarts or shuts down a computer or attempts to modify system security or the security log.
Of all the categories above, there are two categories of objects that require configuration auditing SACL to activate it, namely the Audit directory service access and audit object access. For both these categories, every object to be audited must be configured. For objects such as files, right-click the file and select Properties, on Security tab, click Advanced, then on the Auditing tab bring up a dialog box that is used to configure the user anywhere and everywhere access type to be audited.
Another problem arising from the above 9 categories in prior versions of Windows Server 2008 is the absence of a granular level required by the administrator. If we activate the Account management audit category will effectively enable all types of account management activities. If we only require an audit on user account management and do not require a computer audit account management how to do it?
With Windows Server 2008/2008 R2, 9 of the above categories broken down again to 50 audit policy subcategories. Sub-category allows precise control of the types of events that are logged into the Security Event Log.
We can see what sub category simply by running the following command from the command line: auditpol.exe /get /category: *
Unlike his older brother, 9 categories at the beginning, the implementation is using Group Policy, the implementation of this sub-category via the command line tool: auditpol.exe and performed on each machine / server.
For example, if we want to activate a specific subcategory, made per-command-line by using the switch /subcategory, so in case we wanted to enable its success and failure auditing only on the sub category Computer account management and User account management of the category of account management, we proceed with the following command line:
1 2 3 4 |
Auditpol /set /subcategory:"user account management" /success:enable /failure:enable Auditpol /set /subcategory:"computer account management" /success:enable /failure:enable |
The verification process was also carried out the policy set by the command-line, as follows:
1 |
auditpol /get /category:"account management" |
So hopefully this simple information can be useful ….
Credit: WSS-ID