none
AD Auditing log location

    Question

  • I enabled AD auditing... then went to find out how to read the log so I know if it is working... Where is it? Is it logged just on one DC, or do the audits replicate or get reported to every dc? We have 15 DC's so I am trying to find a way to find who makes certain changes. I know there are a number of third-party tools, but for the moment I am interested in what can be done with the AD infrastructure already in place.

    TIA

    Dan


    Thanks!

    Friday, January 27, 2017 3:27 PM

Answers

  • Security logs are not replicated between domain controllers. So, you will need to look at the domain controller the user is authenticated to in order to view any changes/etc they make. 

    If you would like to replicate events to all DCs, you could copy files in "%SystemRoot%\System32\Winevt\Logs" to a shared folder or DFSR folder so that it could be access by other DCs or replicated to other DCs.

    I know you mentioned not using 3rd party tools. However, if you change your mind, ADAuditPlus from ManageEngine is really good for this purpose. 


    Cheers,

    Ryan

    Microsoft Server Engineer

    Blog:   Twitter:   LinkedIn:   

    Please remember to mark the replies as answers if they help.

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    • Marked as answer by FatalXcept10n Friday, January 27, 2017 5:33 PM
    Friday, January 27, 2017 3:45 PM

All replies

  • Security logs are not replicated between domain controllers. So, you will need to look at the domain controller the user is authenticated to in order to view any changes/etc they make. 

    If you would like to replicate events to all DCs, you could copy files in "%SystemRoot%\System32\Winevt\Logs" to a shared folder or DFSR folder so that it could be access by other DCs or replicated to other DCs.

    I know you mentioned not using 3rd party tools. However, if you change your mind, ADAuditPlus from ManageEngine is really good for this purpose. 


    Cheers,

    Ryan

    Microsoft Server Engineer

    Blog:   Twitter:   LinkedIn:   

    Please remember to mark the replies as answers if they help.

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    • Marked as answer by FatalXcept10n Friday, January 27, 2017 5:33 PM
    Friday, January 27, 2017 3:45 PM
  • I was afraid that was the answer. The problem is that we have six people in the company who are admins, and one of two of them will make a random change or two every few months- and if it is one of those two, we cant' do anything about them anyway.... unfortunately its not worth the money for a 3rd party solution, and at the same rate, we would have to find a change that happened at some indeterminate time in the past, by an admin who might have authenticated to any one of 17 domain controllers... and we might have to find out of this is a months-old change or something that has been in place for substantially longer that we are just now finding out about... Thanks though, at least I know what I'm dealing with for auditing. Now if only our admins would be so amenable!

    Thanks!

    Friday, January 27, 2017 4:26 PM
  • I was afraid that was the answer. The problem is that we have six people in the company who are admins, and one of two of them will make a random change or two every few months- and if it is one of those two, we cant' do anything about them anyway.... unfortunately its not worth the money for a 3rd party solution, and at the same rate, we would have to find a change that happened at some indeterminate time in the past, by an admin who might have authenticated to any one of 17 domain controllers... and we might have to find out of this is a months-old change or something that has been in place for substantially longer that we are just now finding out about... Thanks though, at least I know what I'm dealing with for auditing. Now if only our admins would be so amenable!

    Thanks!

    Glad I could clear things up. Remember to mark my reply as answer if you see fit. Thanks!

    Cheers,

    Ryan

    Microsoft Server Engineer

    Blog:   Twitter:   LinkedIn:   

    Please remember to mark the replies as answers if they help.

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Friday, January 27, 2017 4:51 PM