AD DS auditing AD

Lupe Audit

Hi  today It’s Ad ds auditing time!


Log specific info from the domain that can be interesting for the admins


Admin permissions

Be familiar with group policy

AD DS rolle must be installed

Feature required : Group Policy Management ( installed ) 

Enabling the audit policy ( windows interface ) 

First we must to do is  modify the default domain policy

1) Execute gpmc.msc

2015-05-14 10_31_50-DC1 - cloud.exescampus.com_2090 - Conexión a Escritorio remoto

2) Edit the default domain policy

Computer Configuration, double-click Policies, double-click Windows Settings, double-click Security Settings, double-click Local Policies, and then click Audit Policy.

Select “Audit directory services access” , “define these policy settings” , “success”

2015-05-14 10_36_16-DC1 - cloud.exescampus.com_2090 - Conexión a Escritorio remoto

To enable the change auditing policy using a command line run the following command:

auditpol /set /subcategory:”directory service changes” /success:enable

Setting the sacl ( System access control list ) 

First open dsa.msc an search a Ou where you want to audit ( click on properties and remember use ” advanced features check” ), Go to security item and click ” advanced ”

2015-05-14 12_20_49-Windows Server 2012 - VMware Workstation

Click on “auditing” zone

2015-05-14 12_21_02-Windows Server 2012 - VMware Workstation

We select “Write all properties” , apply and exit

2015-05-14 12_28_12-Windows Server 2012 - VMware Workstation

Check on ” access that object has ben changed”

2015-05-14 12_33_40-Windows Server 2012 - VMware Workstation

Testing the audit 

We create a user

2015-05-14 12_35_49-Windows Server 2012 - VMware Workstation

Delete that user… open MMC .exe and add ” event viewer console “

2015-05-14 12_41_40-Windows Server 2012 - VMware Workstation

2015-05-14 12_40_46-Windows Server 2012 - VMware Workstation

You can try to move , create more objects and check the event logs

Later you can user this for your own script listing… etc etc etc hehe

Enjoy !

Learn & check more at :


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.