Home
Microsoft

Step-By-Step: Enabling Advanced Security Audit Policy via Directory Services Access

Active directory is one of the more impactful services from a security perspective within an organization. Even small changes with in an Organization’s AD can cause a major business impact. Preventing any unauthorized access and unplanned changes in an AD environment should be top of mind for any system administrator. Security threats are changing every day and sometimes the default event logs may not be enough to help to answer what has gone wrong. Microsoft understands these modern requirements and with the introduction of Advanced Security Audit Policy first offered in Windows 2008 R2. Advanced Security Audit Policy provides 53 options to tune up auditing requirements and the ability to collect more granular level information about infrastructure events. This post will specifically focus on the DS Access category which is focused on Active Directory Access and Object Modifications. Advanced Security Audit Policy also needs to be enable via GPO. Therefore the policy should only target the Domain Controllers. This can be enabled via the Default Domain Controllers Policy found within AD.

 

Enabling_Advanced_Security_Audit_Policy_via_DS Access_1.png 
First lets enable this GPO setting. This post uses Active Directory offered via Windows Server 2016. Steps are as follows:

 

  1. Log in to the Server as Domain Admin
     
  2. Load Group policy management editor using Server Manager > Tools > Group Policy Management
     
  3. Expand Domain Controllers Policy
     
  4. Right-click on Default Domain Controllers Policy and select Edit...  

    Enabling_Advanced_Security_Audit_Policy_via_DS Access_2.png

     

  5. Go to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > DS Access

    Enabling_Advanced_Security_Audit_Policy_via_DS Access_3.png
     

     

There are 4 subcategories found under DS Access. They are as follows:

 

  • Audit Detailed Directory Service Replication: This security policy setting can be used to generate security audit events with detailed tracking information about the data that is replicated between domain controllers. This audit subcategory can be useful to diagnose replication issues. The following events will be appear in logs when enabled:

Event ID

Event message
4928 An Active Directory replica source naming context was established.
4929 An Active Directory replica source naming context was removed.
4930 An Active Directory replica source naming context was modified.
4931 An Active Directory replica destination naming context was modified.
4934 Attributes of an Active Directory object were replicated.
4935 Replication failure begins.
4936 Replication failure ends.
4937 A lingering object was removed from a replica.

 

  • Audit Directory Service Access: This security policy setting determines if the operating system generates events when an Active Directory Domain Services (AD DS) object is accessed. These events are similar to the Directory Service Access events in previous versions of Windows Server operating systems. The following events will be appear in logs when enabled:
Event ID Event message
4662 An operation was performed on an object.

 

  • Audit Directory Service Changes This security policy determines if the operating system generates audit events when changes are made to objects in Active Directory Domain Services (AD DS). The types of changes that are reported are: Create, Delete, Modify, Move and Undelete. The Directory Service Changes auditing indicates the old and new values of the changed properties of the objects that were changed. The following events will be appear in logs when enabled:
Event ID Event message
5136 A directory service object was modified.
5137 A directory service object was created.
5138 A directory service object was undeleted.
5139 A directory service object was moved.
5141 A directory service object was deleted.

 

  • Audit Directory Service Replication: This security policy determines whether the operating system generates audit events when replication between two domain controllers begins and ends. The following events will be appear in logs when enabled:
Event ID Event message
4932 Synchronization of a replica of an Active Directory naming context has begun.
4933 Synchronization of a replica of an Active Directory naming context has ended.

 

  • Audit Directory Service Access Audit Directory Service Changes: This policy contains sub categories for both success and failure events. Double-click on each subcategory to enable said audit events.
     
    Enabling_Advanced_Security_Audit_Policy_via_DS Access_5.png

     Enabling_Advanced_Security_Audit_Policy_via_DS Access_6.png

    Once the GPO is applied new events are now visible under logs. New GPO under IT OU  for this example and logs now share detailed info regarding the activity. 
     
    Enabling_Advanced_Security_Audit_Policy_via_DS Access_7.png