Advanced Audit Policy Configuration in Windows Server allows you to collect information about various granular events at the server or AD domain level. In this article, we’ll show you how to enable and use Advanced Security Audit Policy with the Group Policies and auditpol.exe tool in Windows Server 2016.
Advanced Security Audit Policies firstly appeared in Windows Server 2008 R2 (Windows 7) and allows you to enable more than 60 different audit policies.
Configuring Audit Policies through Group Policy
You can view a list of available audit policies in Windows Server 2016 using the local Group Policy Editor.
Run the gpedit.msc console and go to the following section Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies. As you can see, all audit policies are divided into 10 categories:
- Account Logon;
- Account Management;
- Detailed Tracking;
- DS Access;
- Object Access;
- Policy Change;
- Privilege Use;
- Global Object Access Auditing.
Each section has several audit event subcategories. For example, in the Account Management section there are several advanced audit policies:
- Audit Application Group Management;
- Audit Computer Account Management;
- Audit Distribution Group Management;
- Audit Other Account Management Events;
- Audit Security Group Management;
- Audit User Account Management.
All advanced audit policies are disabled by default.
For example, you want to audit all change events in the Active Directory security groups. To do it, you must enable the Audit Security Group Management policy in Default Domain Controllers Policy. Open the Group Policy Management Console (gpmc.msc), expand Forest > Domains > yourdomain.com > Domain Controllers, right click Default Domain Controllers Policy and select Edit.
Go to the GPO section Comp Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Account Management > select the Audit Security Group Management. Enable the policy: “Configure the following audit events” and select both “Success” and “Failure” to be audited in security logs.
Update the group policy settings on the domain controller using the gpupdate command.
Now try to perform any operations with any AD group (create group, change membership, etc.). In the Event Viewer > Windows Logs > Security log events from the Microsoft Windows security auditing source will appear.
For convenience, you can enable the event source filter (Right click Security > Filter Current Log > Event Source: Microsoft Windows security auditing, Task category: Security Group Management).
Now, only AD group management events will remain in the Security log, for example:
- EventID 4727 – A security-enabled global group was created;
- EventID 4728 – A member was added to a security-enabled global group;
- EventID 4729 – A member was removed from a security-enabled global group;
- EventID 4730 – A security-enabled global group was deleted.
You can get detailed information about who and what changes made to the AD group in the event description.
Different advanced audit policies may require additional configuration. For example, to enable audit of shared folders access (Object Access > Audit File Share), you need to additionally enable auditing in the properties of the folder for which you want to collect audit events.
Manage Advanced Audit Policies with AuditPol
On a separate computer, you can view the current audit policies and enable/disable them using the built-in AuditPol.exe tool.
List all audit categories:
auditpol /list /category /v
Display a list of all audit subcategories:
auditpol /list /subcategory:*
Check if audit policies from the Object Access category are enabled:
auditpol /get /category:"Object Access"
To enable registry access audit, use the following command:
auditpol /set /subcategory:"Registry" /success:enable /failure:enable
To disable an audit policy:
auditpol /set /subcategory:"Registry" /success:disable
Using the /backup and /restore options, you can save the current audit policy settings and import them to another computer/server.