AD Audite event logs

Hi All,

i have recently enable the AD  Auditing at Domain level in my org  to monitor the activity. i have enabled the following options under computer configuriton--->windows Setting> security Settings----> advance audit policy---- Audit Polices.

1- DS-- Audit Directory Service changes.
2- audit computer account management
3-audit dist Group Management
4- Audit Security Group Management.
 
and couple of other options, I have created the costume view and  to record the security event for this. But unfortunately I can see from last few days nothing is record for event IR 4728 4729 on so on, which  worried me if I am missing any key Steps to enable this.

Please can any one help and guide me  best practice to enable AD aduite and record in event view for Auditing, and how I can set up to recoved Security, appliaciotn event on different drive or locaiton.


Regards
Asif NaeemSr. System Administrator ( Wintel & UNIX (AIX) Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Naveen SharmaCommented:
Advanced Audit Policies : Configuration|Windows Settings|Security Settings|Advanced Audit Policy Configuration|System Audit Policies.

Audit User, Group, Computer: Select Account Management -> Audit 'Computer Account Management' (Success), Audit 'Distribution Group Management' (Success), Audit 'Security Group Management' (Success), Audit 'User Account Management' (Success & Failure).

Audit GPO, OU, Configuration, Schema, Contacts, Containers, Sites, DNS: Select DS Access -> Audit Directory Services Changes (Success), Audit Directory Service Access (Success).

How to track changes made in Active Directory:
https://www.lepide.com/how-to/track-changes-in-active-directory.html

Auditing Account Management and Directory Service Access in Windows Server 2012:
https://www.lepide.com/blog/auditing-account-management-and-directory-service-access/

Also, you can try LepideAuditor for Active Directory, for real-time monitoring and auditing of Active Directory changes.
Asif NaeemSr. System Administrator ( Wintel & UNIX (AIX) Author Commented:
Thanks I am working on this will update the case if need further assistance.
IT Pros Agree: AI and Machine Learning Key

We’d all like to think our company’s data is well protected, but when you ask IT professionals they admit the data probably is not as safe as it could be.

Asif NaeemSr. System Administrator ( Wintel & UNIX (AIX) Author Commented:
Hi,

Thanks for response and very useful links and KB. I have applied every thing as best practice  as mention in KB's as well. But I wounder from last few days I can see no event recorded against 4728,4729 which I believe it is not possible that no user is added or removed by Support team.

I am running AD server 2012 any further advice.


Thanks
Naveen SharmaCommented:
You need configure the Advanced audit policy in GPO to achieve your goal, which could audit the changes of group.

For detailed information, you could refer to the article below.

Need to audit domain admin group changes:
https://social.technet.microsoft.com/Forums/en-US/d6307458-f6bf-4119-9327-133d8b39ec16/need-to-audit-domain-admin-group-changes?forum=winserverDS

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Asif NaeemSr. System Administrator ( Wintel & UNIX (AIX) Author Commented:
Hi

Thanks for all useful link and help.

Regards
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.