Configure Active Directory Object Level Auditing

There are specific events that do not generate an audit log entry until object level auditing is enabled.

Entralyzer Reports that require object level auditing

• Moved users
• Moved groups
• Moved computers
• Deleted GPOs
• GPO Link Changes
• Created OUs
• Deleted OUs

How to Enable Object Level Auditing

Advanced Features must be enabled in ADUC to complete the steps. Click on “View” and then “Advanced Features”.

Step 1. Open ADUC, right click on your domain and select properties.

Step 2. Click on “Security”

Step 3. Click on “Advanced”

Step 4. Click on “Auditing”

Step 5. Click on “Add”

Step 6. Click on “Select a Principal”

Step 7. Type Everyone, click “Check Names” and click “OK”.

Note

This does not effect the Security of Active Directory and does not grant Everyone access. What this does is ensures an audit log event is created when a user that has permissions modifies specific objects in Active Directory.

Step 8. Ensure Type = Success and Appplies to = This object and all descent objects

Step 9. Set the following Permissions:

1. Write All Properties
2. Delete
3. Modify Permissions
4. All Extended Rights
5. Create user objects
6. Delete user objects
7. Create Group objects
8. Delete Group objects
9. Create computer objects
10. Delete computer objects
11. Create Organizational Unit objects
12. Delete Organizational Unit objects
13. Create groupPolicyContainer Objects
14. Delete groupPolicyContainer Objects

Example screenshot