Most larger companies will want to keep track of the what the IT staff are doing to Active Directory. In particular it is important to know who created, disabled and deleted accounts or made changes to email or security groups.
- On a Domain Controller (or something with RSAT tools installed), launch the GROUP POLICY MANAGEMENT CONSOLE
- You can edit an existing policy or create a new GPO
- Expand Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Advanced Audit Policy Configuration
- Expand each of the subcategories and set the feature as you see fit. Most people will want to set Audit User Account Management to audit both SUCCESS and FAILURE
That’s the hard part done but there are three more bits to consider:
- Either reboot the machines the GPO will be on or just run GPUPDATE /FORCE from an administrative command prompt
- You also might want to filter this audit GPO to just a few admins (unlikely but in the example below that is exactly what I did because the client only wanted to track a single admin… odd but true)
- You will likely want to expand the size of the Windows Security log because if you don’t it will fill up very quickly and the oldest items will fall off/be deleted automatically as new items are added, thereby deleting your audit entries
When you are in the Event Viewer > Windows Logs > Security, you can click on EVENT ID to sort the giant list or you could right click on the SECURITY and filter it to any of these ID’s:
- Event ID 4720 = user account was created
- Event ID 4722 = user account was enabled
- Event ID 4740 = user account was locked-out
- Event ID 4725 = user account was disabled
- Event ID 4726 = user account was deleted
- Event ID 4738 = user account was changed
See the screen shots above or leave us a comment if you have any concerns.
1 Comment
gralion torile · June 8, 2022 at 6:06 pm
Very interesting info!Perfect just what I was looking for!