How to Audit Active Directory Changes using Event Logs

Audit AD changes in real time with Lepide Active Directory Auditor
5 min read | Updated On - December 21, 2023
In This Article

IT administrators struggle everyday with the challenge of maintaining security in the Active Directory environment. It can often be difficult to find out critical information about who has modified what, where and when in AD user accounts in order to trap malicious users and track unusual activity in their IT environment.

One thing you can do to help mitigate the risks of malicious changes is ensure that you are constantly monitoring and recording any changes taking place in the Active Directory.

Below are the methods to enable Active Directory auditing:

  1. Enable Auditing by using Group Policy Management Console (GPMC)
  2. Enable Auditing by using ADSIEdit.msc

Enable Auditing by using Group Policy Management Console (GPMC)

  1. Configuration of Group Policy Audit Settings
command gpmc.msc
Type the command gpmc.msc in order to open the Group Policy Management Console.
  1. The Group Policy Management Console
GP Management Console
Under Group Policy Management, select the forest domain you wish to choose and expand it further to navigate to the Domain Controllers→ Default Domain Controller Policy, right click on it and select Edit to open the configuration window.
  1. Advanced Audit Policy Configuration
Advanced Audit Policy Configuration
Navigate to Computer Configuration> Policies> Windows Settings> Security Settings> Advanced Audit Policy Configuration> Audit Policies in the GPMC Editor.
  1. Configuring All the Policies

In order to configure all the policies, define the following categories and then configure them one after another:

  • Account Logon
  • Account Management
  • DS Access
  • Logon/Logoff
  • Object Access
  • Policy Change
  1. Configuring All Policies One by One
Account Logon and configure
Click on the first policy – Account Logon and configure the audit events of its subcategories one after another.
  1. Check Both Success and Failure
validation properties
In the Policy tab of Audit Credential Validation Window, simply check both the options – success and failure to audit the events and click OK.

Follow the step 6 for all other Advanced Audit Policies listed above.

  1. Updating the Group Policy
executing the command - gpupdate /force
This can be done by executing the command: gpupdate /force in the command prompt.

Enable Auditing by using ADSIEdit.msc

  1. Open ADSI Edit Console and select “Connect to” in order to view the Connection Settings.
  2. Next, establish connections with all four available naming contexts to turn on their auditing for:
    • Default Naming Context
    • Configuration
    • RootDSE
    • Schema
Then, proceed on to connect to the default naming context. Also, Right click on the node = “ADSIEdit” and select “Connect To”.

Configuring Default Naming Context

Configuring Default Naming Context

Configuring Connection Settings

Configuring Connection Settings

Establishing connection with Root DSE

Establishing connection with Root DSE

Connection Settings for Schema

Connection Settings for Schema
  1. Enabling the Audit Settings for All the Four Root Nodes
Enabling the Audit Settings for All
For all the four root nodes of different naming contexts, enable the auditing settings.
  1. Managing Auditing Entry for Your Domain
Managing Auditing Entry

In the Domain Controller properties, navigate to the security tab and click Advanced. This will open the Advanced Security Settings. Now, quickly navigate to the Auditing tab and click Add to open the Auditing Entry window. In the field “Name”- type “Everyone” and in the “Access” section, check all the boxes except the following four options:

  • Full Control
  • List contents
  • Read all properties
  • Read permissions
In the ADSI Edit, repeat steps 3 and 4 in order to enable the auditing of the remaining root nodes.

Track Changes Using Event IDs

View audit logs in event viewer to track AD changes by searching relevant event ids

  1. Filtering the Security Event Log
filter the Security Event Log

In the Event Viewer, navigate to Windows Logs and select Security. Then, simply click Filter Current Log.

  1. Search by Event ID
filter by event id

In the “Filter Current Log” window, simply enter the particular Event ID and carry out the search operation. In above image event id 4720 refers to ‘User Account Creation’. have

  1. Open Event Properties to See Further Details
Event Properties to See Further Details

To know more about any particular event, simply double click on it to see further details.

List of Other Relevant Event IDs

List of Other Relevant Event IDs

How Lepide Active Directory Auditor Tracks Changes Made in AD

For many users, manual auditing can be both time consuming and unreliable, as you have to search lots of audit logs in event viewer, it does not generate instant alerts and reports for Active Directory changes.

It is therefore recommended that you opt for an automated Active Directory auditing solution. One such solution, Lepide Active Directory Auditor (part of Lepide Data Security Platform), that enables users to pro-actively track, alert and report on changes being made to Active Directory.

Lepide’s Active Directory audit solution for records the details of every change made in the configuration of Active Directory and generates 90 reports in three different categories – Active Directory Modification Reports, Active Directory Security Reports, and Active Directory State Reports.

Below are some screenshots that show how our Active Directory auditing solution helps IT administrators track changes in Active Directory objects. Three reports are shown below; a report for objects created, objects deleted and objects modified.

  1. Object Created Report
Object Created Report - screenshot

  1. Object Deleted Report
Object Deleted Report - screenshot

  1. Object Modifications Report
Object Modifications Report - screenshot

You can also track other activities like successful and failed logon attempts, account lockouts, permissions changes, privilege user activities etc. easily with our solution.

The Final Note

Lepide Active Directory Auditor for can actually make the whole Active Directory auditing process simpler through its intuitive user interface and sending real-time alerts as emails to desired recipients, as updates to LiveFeed widget, and as push-notifications to Lepide Mobile App to ensure the security of your Active Directory environment.

Audit AD changes in real time with Lepide Active Directory Auditor