- Version
- Download 6
- File Size 2.18 MB
- File Count 1
- Create Date May 23, 2023
- Last Updated May 23, 2023
Active Directory Audit Policies are settings that allow you to monitor and track changes and activities in your Active Directory environment. Event Viewer is a tool that displays the events that are logged by Windows and other applications. You can use Event Viewer to view and analyze the audit events generated by the audit policies.
There are two types of audit policies: basic and advanced. Basic audit policies are the legacy audit settings that apply to the whole system and have nine categories, such as Account Logon, Account Management, Directory Service Access, etc. Advanced audit policies are the newer audit settings that provide more granular control and have 10 categories with 53 subcategories, such as DS Access, Logon/Logoff, Object Access, etc.
To use advanced audit policies, you need to enable the Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings policy setting in Group Policy. You can configure advanced audit policies by using Active Directory or local group policies, or by using the command-line tool auditpol.exe
One of the advanced audit policy categories that is relevant for Active Directory is DS Access, which allows you to monitor access and changes to Active Directory objects and attributes. You can enable different subcategories under DS Access to audit specific events, such as directory service changes, directory service replication, directory service access, etc
To view the audit events generated by the audit policies, you need to use Event Viewer. You can open Event Viewer by typing eventvwr.msc in the Run dialog box or the Command Prompt. In Event Viewer, you can find the audit events under Windows Logs > Security. You can filter, sort, and search the events by using the options in the Action pane or the right-click menu. You can also save and export the events to a file for further analysis.