Set audit permissions in the AD object SACLs
After activating the audit policies you must set the audit permissions for AD objects (SACL) accordingly.
The user right "Manage auditing and security log" is required for the configuration of the SACL (this corresponds to the privilege "SeSecurityPrivilege"). You must be a member of the "event log reader" or domain admin group.
The configuration of the SACL is only required for one of the domain controllers. All other DCs receive the configuration via replication.
Start the management of Active Directory users and computers on a DC by opening
Activate the option "Advanced Features".
Select the domain that you want to monitor by right-clicking on it and selecting "Properties".
In the properties window, select the tab "Security" and then click on "Advanced".
Select the tab "Auditing".
Analyze the existing access rights. Perhaps the required permissions already exist.
If required, expand the access rights of an existing "Everyone" principal or add the desired entry.
At minimum, the following is required:
- Principal: "Everyone"
- Type: "All"
- Apply to: "This object and all descendant objects"
- Write all properties
- Delete subtree
- Modify permissions
- Create all child objects
- Delete all child objects