Configure audit policies for the domain controllers (DC)
To access AD Logga functionality, activate specific audit policies.
To change your audit policy, you must be a member of the appropriate domain admin or organization admin group.
See the following sections for more information.
Configure audit policies for DCs running Windows Server 2008
Before you configure the audit policies, verify that all required categories are activated.
You can enable the required audit policies by running the following commands on every domain controller with administrator rights:
Repeat this process for all domain controllers
Monitor policy changes
auditpol /set /subcategory:{0CCE922F-69AE-11D9-BED3-505054503030} /success:enableDirectory service changes
auditpol /set /subcategory:{0CCE923C-69AE-11D9-BED3-505054503030} /success:enableManage user accounts
auditpol /set /subcategory:{0CCE9235-69AE-11D9-BED3-505054503030} /success:enableManage computer accounts
auditpol /set /subcategory:{0CCE9236-69AE-11D9-BED3-505054503030} /success:enableManage security groups
auditpol /set /subcategory:{0CCE9237-69AE-11D9-BED3-505054503030} /success:enableManage distribution groups
auditpol /set /subcategory:{0CCE9238-69AE-11D9-BED3-505054503030} /success:enableManage application groups
auditpol /set /subcategory:{0CCE9239-69AE-11D9-BED3-505054503030} /success:enableOther account management events
auditpol /set /subcategory:{0CCE923A-69AE-11D9-BED3-505054503030} /success:enableConfigure audit policies for DCs running Windows Server 2008 R2 or higher
You can use the group policy editor to manage audit policy on Windows Server 2008 R2 or higher. You only need to implement the policy once, rather than having to repeat it for every domain controller
Activating the audit policy may be delayed on the domain controllers, depending on your replication interval.
Once you complete these settings, perform the following procedures:
- Complete a manual policy update with the command "
gpupdate /force" - Verify the audit policies settings
-
Open the Group Policy Management Console.
Open a Run window and run the following command:
gpmc.msc
(Screenshot property of © 2020 Microsoft)
-
In the Group Policy Management console, create a new group policy.
(Screenshot property of © 2020 Microsoft)
-
Select the organizational unit (OU) where the computer accounts are located. By default, they are located in the OU called Domain Controllers.
-
Ensure that the new policy is applied to the appropriate domain controllers (hierarchy and order).
The order that you set the options impacts the effectiveness of the policy. Follow the order explained here.
-
Select the new group policy by right-clicking the policy and selecting Edit.
(Screenshot property of © 2020 Microsoft)
-
Enable the security policy.
(Screenshot property of © 2020 Microsoft)
-
Navigate to Security Options
-
Double click the following policy:
Audit: Force audit policy subcategory settings...
-
Enable the security policy as shown above, and then click OK.
The order that you set the options impacts the effectiveness of the policy. Follow the order explained here.
-
-
Activate the audit.
(Screenshot property of © 2020 Microsoft)
-
Navigate to Account Management.
-
Select all subcategories using multi-select, right-click, and select Properties.
-
In the Properties for Multiple Items window, select the highlighted checkboxes, click Apply, and then click OK.
-
-
Configure the audit directory service changes.
(Screenshot property of © 2020 Microsoft)-
Navigate to DS Access.
-
Under Subcategory, double-click Audit Directory Service Changes.
-
In the Audit Directory Service Access Properties window, activate the audit as shown above.
-
Click Apply, and then click OK.
-
-
Configure the audit directory service access.
(Screenshot property of © 2020 Microsoft)
-
Select DS Access.
-
Under Subcategory, double-click Audit Directory Service Access.
-
In the Audit Directory Service Access Properties window, select the options as shown above.
-
Click Apply, and then click OK.
-
-
Configure the Audit Audit Policy Change properties.
-
Select Policy Change.
-
Under Subcategory, double-click Audit Audit Policy Change.
-
In the Audit Audit Policy Change Properties window, activate the audit as show above.
-
Click Apply, and then click OK.
-
-
Manually update the policy.
-
Open a Run window.
-
Run the following command:
gpupdate /force
-
Configure the AD Logga disk space
The database requires approximately .57 MB of storage space for every 1000 events, By default, AD Logg stores all events for 30 days.
You can determine how long scan and AD Logga data are stored. This affects the size of your data base and required disk storage. See Configure storage of scan settings for instructions.
Set the size of the Windows event log
To ensure that events are not lost, configure the maximum size for the security event logs. For audit policy settings, the storage requirements are approximately 1KB per event.
Example: Collector server selected for AD Logga
A collector server outage or maintenance time of one hour with approximately 1000 events per hour, the absolute minimum security event log size would be 1MB. Considering the low storage space requirements for 1000 events and the uncertainty of outage times as well as the potential relevance of individual security events, SolarWinds recommends that you ensure adequate storage space is available.
For more information about recovery mode, see the article Set Maximum Log Size. (© 2020 Microsoft, https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc748849(v=ws.11), obtained on January 29, 2020)
Verify the audit policy settings
You can verify the effectiveness of audit policies by starting the command prompt with administrator rights and entering one of the commands listed below.
English servers
auditpol /get /category:"policy change,account management,ds access"All languages
auditpol /get /category:*The marked subcategories must be set to Success or Failure, as shown below.
(Screenshots property of © 2020 Microsoft)