Active Directory Logging – Changes to groups

The following steps detail how to enable logging on Windows Server 2008 Active Directory Services.

To configure you will need access to configure the Default Domain Controller policy and access to the event logs on a domain controller.

The process involves three steps, configuring the group policy, setting the auditing requirements and defining a filtered view to easily access the filtered logs.

In this example we’ll be logging all changes to any group inside the CitySite Organisational Unit (or below) – for example, log when a user is added or removed.

Configuring the Group Policy

  1. Open the Group Policy Management tool
  2. Locate the Default Domain Controllers Policy, right click on it and select ‘Edit’
  3. Server2008-Audit1
  4. Navigate to Computer Configuration – Policies – Windows Settings – Security Settings – Local Policies – Audit Policy
  5. Open ‘Audit directory service access’
  6. Select ‘Define these policy settings’ and ‘Success’
  7. Server2008-Audit2
  8. Click ‘OK’ to save the changes and close the group policy management window.

Setting the auditing requirements

  1. Open the Active Directory Users and Computers tool
  2. Note, if you haven’t already enabled the advanced features you will need to. This can be done by selecting the ‘View’ menu and then ‘Advanced Features’
  3. Locate the Organisational Unit (OU) which contains the group objects to be logged (e.g. CitySite)
  4. Right click on the OU and select ‘Properties’
  5. Select the ‘Security’ tab and then the ‘Advanced’ button
  6. Select the ‘Auditing’ tab
  7. Click on the ‘Add’ button and then enter ‘Authenticated users’ and click ‘OK’
  8. Under ‘Write all properties’ place a tick for ‘Successful’
  9. Server2008-Audit3
  10. Click ‘OK’ . ‘OK’ and ‘OK’ to save the changes

Viewing the logs

  1. Due to the large number of logged events in Windows Server 2008 it’s much easier to create a filtered view.
  2. Open the Server Manager (Start Menu, right click on Computer and select ‘Manage’)
  3. Expand ‘Diagnostics’ and then ‘Event Viewer’
  4. Right click on ‘Custom Views’ and select ‘Create Custom View’
  5. Under ‘Logged’ select the time frame required when doing auditing (e.g. last 30 days)
  6. Under ‘Event logs’ select ‘Security’
  7. Under ‘Event sources’ select ‘Microsoft Windows security auditing’
  8. In the event ID field enter 4728,4729
  9. Server2008-Audit4
  10. Click ‘OK’, give the view a name (e.g. Group changes – Last 30 days) and click ‘OK’ to save the changes

Now whenever someone with permission adds or removes a user to a group it will be logged and listed within the view.

How do I read the logs?

The log contains all the information required – what has changed, who changed it and when.

For example, the log below indicates that the user ‘bbuilder’ was removed from the ‘AllStaff’ group at 22/04/2011 by the ‘Administrator’ account:

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          22/04/2011 9:08:37 PM
Event ID:      4729
Task Category: Security Group Management
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      W2K8DC1.mockbox.net
Description:
A member was removed from a security-enabled global group.
Subject:
    Security ID:        MOCKBOXAdministrator
    Account Name:        Administrator
    Account Domain:        MOCKBOX
    Logon ID:        0x3e1f2
Member:
    Security ID:        MOCKBOXbbuilder
    Account Name:        CN=Bob Builder,OU=Users,OU=CitySite,DC=mockbox,DC=net
Group:
    Security ID:        MOCKBOXAllStaff
    Group Name:        AllStaff
    Group Domain:        MOCKBOX
http://schemas.microsoft.com/win/2004/08/events/event">