none
Active Directory Monitoring - GPO

    Question

  • I am trying to setup security Audits on when user accounts are created, deleted or modified within Active directory but I can't get it to work properly.

    Steps I have done..

    Withing GPO Management:

    1.  Edit Default Domain Controller Policy
    2. Computer configuration -> Windows Settings -> Security Settings -> Local Policies -> Audit Policy.
    3. Enabled Audit Account logins events, Enagled Account manamgment, En abled Directory Service Access/
    4. Make sure success and failure events where it applied.

    Ran gpupdate /force created an ad account, deleted and ad account.  Looked in the security audit logs in the event viewer..don't see any instance.

    -



    Brian Clanton

    Tuesday, March 1, 2016 12:07 AM

Answers

  • Hi,

    Thanks for your post.

    Please try to enable below setting and check if the issue persists.

    Computer Configuration\Windows Settings\Security Settings\Advanced Audit Configuration\Account Management

    Configure: Audit User Account Management Success and Failure

    Besides, you could also try to create a new GPO, enable necessary policies and link it to domain. After that, create a new account and check if you can find related Event on DC.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, March 1, 2016 5:34 AM
    Moderator

All replies

  • Hi,

    Thanks for your post.

    Please try to enable below setting and check if the issue persists.

    Computer Configuration\Windows Settings\Security Settings\Advanced Audit Configuration\Account Management

    Configure: Audit User Account Management Success and Failure

    Besides, you could also try to create a new GPO, enable necessary policies and link it to domain. After that, create a new account and check if you can find related Event on DC.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, March 1, 2016 5:34 AM
    Moderator
  • I hope, above given steps should help you to get the issue resolved.

    Here is another informative article which covers the steps to enable active directory security auditing and track every critical events into real time : https://community.spiceworks.com/how_to/123099-how-to-enable-active-directory-security-auditing


    Organizations who want increase their visibility as to what's happening in their IT environments but are perhaps limited on time, resources or budget. Lepide 2020 audit & change control suite provides instant access to see who, what, where and when changes are being made to Active Directory, Group Policy, SQL Servers, SharePoint, File Servers, Exchange Servers and more.

    Tuesday, March 1, 2016 9:23 AM
  • Thank You.

    Got this working.


    Brian Clanton

    Monday, March 7, 2016 10:35 PM
  • Hi,

    Thanks for your reply. I am glad to hear that your issue was successfully resolved. If there is anything else we can do for you, please feel free to post in the forum.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, March 8, 2016 2:15 AM
    Moderator