AD DS auditing AD

Lupe Audit

Hi  today It’s Ad ds auditing time!

Purproses:

Log specific info from the domain that can be interesting for the admins

Prerequisites

Admin permissions

Be familiar with group policy

AD DS rolle must be installed

Feature required : Group Policy Management ( installed ) 

Enabling the audit policy ( windows interface ) 

First we must to do is  modify the default domain policy

1) Execute gpmc.msc

2015-05-14 10_31_50-DC1 - cloud.exescampus.com_2090 - Conexión a Escritorio remoto

2) Edit the default domain policy

Computer Configuration, double-click Policies, double-click Windows Settings, double-click Security Settings, double-click Local Policies, and then click Audit Policy.

Select “Audit directory services access” , “define these policy settings” , “success”

2015-05-14 10_36_16-DC1 - cloud.exescampus.com_2090 - Conexión a Escritorio remoto

To enable the change auditing policy using a command line run the following command:

auditpol /set /subcategory:”directory service changes” /success:enable


Setting the sacl ( System access control list ) 

First open dsa.msc an search a Ou where you want to audit ( click on properties and remember use ” advanced features check” ), Go to security item and click ” advanced ”

2015-05-14 12_20_49-Windows Server 2012 - VMware Workstation

Click on “auditing” zone

2015-05-14 12_21_02-Windows Server 2012 - VMware Workstation

We select “Write all properties” , apply and exit

2015-05-14 12_28_12-Windows Server 2012 - VMware Workstation

Check on ” access that object has ben changed”

2015-05-14 12_33_40-Windows Server 2012 - VMware Workstation


Testing the audit 

We create a user

2015-05-14 12_35_49-Windows Server 2012 - VMware Workstation

Delete that user… open MMC .exe and add ” event viewer console “

2015-05-14 12_41_40-Windows Server 2012 - VMware Workstation

2015-05-14 12_40_46-Windows Server 2012 - VMware Workstation

You can try to move , create more objects and check the event logs

Later you can user this for your own script listing… etc etc etc hehe

Enjoy !

Learn & check more at :

https://technet.microsoft.com/en-us/library/cc731607%28v=ws.10%29.aspx

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s