Active directory is one of the more impactful services from a security perspective within an organization. Even small changes with in an Organization’s AD can cause a major business impact. Preventing any unauthorized access and unplanned changes in an AD environment should be top of mind for any system administrator. Security threats are changing every day and sometimes the default event logs may not be enough to help to answer what has gone wrong. Microsoft understands these modern requirements and with the introduction of Advanced Security Audit Policy first offered in Windows 2008 R2. Advanced Security Audit Policy provides 53 options to tune up auditing requirements and the ability to collect more granular level information about infrastructure events. This post will specifically focus on the DS Access category which is focused on Active Directory Access and Object Modifications. Advanced Security Audit Policy also needs to be enable via GPO. Therefore the policy should only target the Domain Controllers. This can be enabled via the Default Domain Controllers Policy found within AD.
First lets enable this GPO setting. This post uses Active Directory offered via Windows Server 2016. Steps are as follows:
- Log in to the Server as Domain Admin
- Load Group policy management editor using Server Manager > Tools > Group Policy Management
- Expand Domain Controllers Policy
- Right-click on Default Domain Controllers Policy and select Edit...
-
Go to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > DS Access
There are 4 subcategories found under DS Access. They are as follows:
- Audit Detailed Directory Service Replication: This security policy setting can be used to generate security audit events with detailed tracking information about the data that is replicated between domain controllers. This audit subcategory can be useful to diagnose replication issues. The following events will be appear in logs when enabled:
Event ID |
Event message |
4928 | An Active Directory replica source naming context was established. |
4929 | An Active Directory replica source naming context was removed. |
4930 | An Active Directory replica source naming context was modified. |
4931 | An Active Directory replica destination naming context was modified. |
4934 | Attributes of an Active Directory object were replicated. |
4935 | Replication failure begins. |
4936 | Replication failure ends. |
4937 | A lingering object was removed from a replica. |
- Audit Directory Service Access: This security policy setting determines if the operating system generates events when an Active Directory Domain Services (AD DS) object is accessed. These events are similar to the Directory Service Access events in previous versions of Windows Server operating systems. The following events will be appear in logs when enabled:
Event ID | Event message |
4662 | An operation was performed on an object. |
- Audit Directory Service Changes This security policy determines if the operating system generates audit events when changes are made to objects in Active Directory Domain Services (AD DS). The types of changes that are reported are: Create, Delete, Modify, Move and Undelete. The Directory Service Changes auditing indicates the old and new values of the changed properties of the objects that were changed. The following events will be appear in logs when enabled:
Event ID | Event message |
5136 | A directory service object was modified. |
5137 | A directory service object was created. |
5138 | A directory service object was undeleted. |
5139 | A directory service object was moved. |
5141 | A directory service object was deleted. |
- Audit Directory Service Replication: This security policy determines whether the operating system generates audit events when replication between two domain controllers begins and ends. The following events will be appear in logs when enabled:
Event ID | Event message |
4932 | Synchronization of a replica of an Active Directory naming context has begun. |
4933 | Synchronization of a replica of an Active Directory naming context has ended. |
- Audit Directory Service Access Audit Directory Service Changes: This policy contains sub categories for both success and failure events. Double-click on each subcategory to enable said audit events.
Once the GPO is applied new events are now visible under logs. New GPO under IT OU for this example and logs now share detailed info regarding the activity.