Active directory is one of the more impactful services from a security perspective within an organization. Even small changes with in an Organization’s AD can cause a major business impact. Preventing any unauthorized access and unplanned changes in an AD environment should be top of mind for any system administrator. Security threats are changing every day and sometimes the default event logs may not be enough to help to answer what has gone wrong. Microsoft understands these modern requirements and with the introduction of Advanced Security Audit Policy first offered in Windows 2008 R2. Advanced Security Audit Policy provides 53 options to tune up auditing requirements and the ability to collect more granular level information about infrastructure events. This post will specifically focus on the DS Access category which is focused on Active Directory Access and Object Modifications. Advanced Security Audit Policy also needs to be enable via GPO. Therefore the policy should only target the Domain Controllers. This can be enabled via the Default Domain Controllers Policy found within AD.
First lets enable this GPO setting. This post uses Active Directory offered via Windows Server 2016. Steps are as follows:
Go to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > DS Access
There are 4 subcategories found under DS Access. They are as follows:
Event ID |
Event message |
4928 | An Active Directory replica source naming context was established. |
4929 | An Active Directory replica source naming context was removed. |
4930 | An Active Directory replica source naming context was modified. |
4931 | An Active Directory replica destination naming context was modified. |
4934 | Attributes of an Active Directory object were replicated. |
4935 | Replication failure begins. |
4936 | Replication failure ends. |
4937 | A lingering object was removed from a replica. |
Event ID | Event message |
4662 | An operation was performed on an object. |
Event ID | Event message |
5136 | A directory service object was modified. |
5137 | A directory service object was created. |
5138 | A directory service object was undeleted. |
5139 | A directory service object was moved. |
5141 | A directory service object was deleted. |
Event ID | Event message |
4932 | Synchronization of a replica of an Active Directory naming context has begun. |
4933 | Synchronization of a replica of an Active Directory naming context has ended. |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.