Configuring Audit Polices for Workstation Auditing

  1. Open Group Policy Management Console(GPMC).
  2. Create a New GPO “ADAuditPlusWSPolicy”
  3. Link the “ ADAuditPlusWSPolicy” at Domain level
    1. Open GPMC|right click the Domain |Select Link an Existing GPO|Select the “ADAuditPlusWSPolicy”
    File Server Group Policy
  4. Edit the "ADAuditPlusWSPolicy"(right click the policy and "Edit")
  5. Configure required Advanced Audit Policies for 2k8 and above(recommended). This settings can be found under
    1. Computer Configuration|Windows Settings|Security Settings|Advanced Audit Policy Configuration|System Audit Policies
      1. Audit User, Group, Computer: Select Account Management -> Configure 'Computer Account Management' (Success), 'Distribution Group Management' (Success), 'Security Group Management' (Success), 'User Account Management' (Success & Failure).
      2. Audit Removable Device Plugin Activity : Select Detailed Tracking -> Configure PNP Activity (Success & Failure).
      3. Audit Logon / Logoff: Select Logon / Logoff -> Configure Logon (Success & Failure), Audit Logoff (Success), Network Policy Server (Success & Failure), Other Logon / Logoff Events (Success).
      4. Audit Removable Storage : Select Object Access -> Configure Removable Storage (Success & Failure).
      5. Audit Scheduled Tasks: Select Object Access -> Other Object Access Events (Success).
      6. Audit Local Policy Changes: Select Policy Change -> Authentication Policy Change (Success), Authorization Policy Change (Success)
      7. Audit System Events: Select System -> Security State Change (Success)
        Member Server Audit Policies 2k8

  6. Audit Polices required For Windows Workstation Auditing (for 2k3 and below)
    1. Computer Configuration|Windows Settings|Security Settings|Local Polices|Audit Policy
      1. Audit Logon / Logoff: Configure Logon Events (Success & Failure).
      2. Audit Local User, Group, Computer: Configure Account Management (Success & Failure).
      3. Audit Scheduled Tasks: Configure Object Access (Success).
      4. Audit Local Policy Changes: Configure Policy Change (Success).
      5. Audit System Events: Configure System Events (Success).
    Member Server Audit Policies 2k3
  7. Force Advanced Audit Policy
    1. Computer Configuration|Windows Settings|Security Settings|Local Polices|Security Options
    2. Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings.
    Force Advanced Audit Policy
  8. Remove “Apply Group Policy” privilege for Authenticated Users in the above created GPO, follow the steps to do the same.
    1. Get the GUID value for "ADAuditPlusWSPolicy"
      1. Open GPMC, click on the "ADAuditPlusWSPolicy"
      2. Click on the "Details" tab(right side) 
      3. Note the unique id value of "Unique ID"
    2. Remove "Apply Group Policy" privilege for Authenticated Users
      1. Open "dsa.msc"; Start -> Run -> dsa.msc
      2. "Domain" -> System -> Policies -> "Unique ID"
      3. Right click the "Unique ID" -> Security tab -> Advanced
      4. Remove "Allow" for "Apply Group Policy"
    Apply Group Policy Privilege
  9. Create a new Global Security Group and add the workstations to be audited in that group.
    1. Open ADUC|Create a new Global Security Group “ADAuditPlusWS” . Add configured workstations into a member of the above created group.
    Workstation Group Add
  10. Add the  above group “ADAuditPlusWS “ into the "Security Filtering" settings of “ADAuditPlusWSPolicy” GPO.
    11. Workstation Security Filtering GPO
    Copyright © 2017, ZOHO Corp. All Rights Reserved.
    ManageEngine