Auditing Active Directory

  • Article

CRM-AD Issues: Auditing Active Directory

 

There are multiple instances where while troubleshooting/isolating CRM issues, you end up checking details from AD side. In that case you can refer to below article which pretty much explains how to enable audit in AD to track activities.

In Windows Server 2008, you can now set up AD DS (Active Directory Domain Services) auditing with a new audit policy subcategory (Directory Service Changes) to log old and new values when changes are made to AD DS objects and their attributes. This can be done using auditpol.exe tool.

Here is a quick command to check which audit policies are currently active:

auditpol /get /category:*

Command to view the audit policy categories and Subcategories:

 

 

How to enable the global audit policy using the Windows interface i.e. gpmc tool

  • Click Start, point to Administrative Tools, and then Group Policy Management or run gpmc.msc command

  • In the console tree, double-click the name of the forest, double-click Domains, double-click the name of your domain, double-click Domain Controllers, right-click Default Domain Controllers Policy, and then click Edit.

  • Under Computer Configuration, double-click Policies, double-click Windows Settings, double-click Security Settings, double-click Local Policies, and then click Audit Policy.

  • In the details pane, right-click Audit directory service access, and then click Properties.

  • Select the Define these policy settings check box.

  • Under Audit these attempts, select the Success, check box, and then click OK.

How to enable the change auditing policy using a command line

  • Click Start, right-click Command Prompt, and then click Run as administrator.
  • Type the following command, and then press ENTER:
  • auditpol /set /subcategory:"directory service changes" /success:enable

To verify if the auditing is enabled or not for "Directory Service Changes", you can run below command:

Auditpol /get /category:"DS Access"

 

How to set up auditing in object SACLs

  • Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.

  • Right-click the organizational unit (OU) (or any object) for which you want to enable auditing, and then click Properties.

  • Click the Security tab, click Advanced, and then click the Auditing tab.

  • Click Add, and under Enter the object name to select, type Authenticated Users (or any other security principal), and then click OK.

  • In Apply onto, click Descendant User objects (or any other objects).

  • Under Access, select the Successful check box for write all properties.

  • Click OK until you exit the property sheet for the OU or other object.

To Test whether auditing is working or not, try creating or modifying objects in Finance OU and check the Security event logs.

I just created a new user account in Finance OU named f4.

If you check the security event logs you will find eventid 5137 (Create)

Note:
Once the auditing is enabled these eventids will appear in security event logs: 5136 (Modify), 5137 (Create), 5138 (Undelete), 5139 (Move).

To know more about AD DS Auditing read technet article:
AD DS Auditing Step-by-Step Guide

https://technet.microsoft.com/en-us/library/cc731607(v=ws.10).aspx