Configuring Audit Polices for Member Server Auditing

  1. Open Group Policy Management Console(GPMC).
  2. Create a New GPO “ADAuditPlusMSPolicy”
  3. Link the “ ADAuditPlusMSPolicy” at Domain level
    1. Open GPMC|right click the Domain |Select Link an Existing GPO|Select the “ADAuditPlusMSPolicy”
    Member Server Group Policy
  4. Edit the "ADAuditPlusMSPolicy"(right click the policy and "Edit")
  5. Configure required Advanced Audit Policies for 2k8 and above(recommended). This settings can be found under
    1. Computer Configuration|Windows Settings|Security Settings|Advanced Audit Policy Configuration|System Audit Policies
      1. Audit User, Group, Computer: Select Account Management -> Configure 'Computer Account Management' (Success), 'Distribution Group Management' (Success), 'Security Group Management' (Success), 'User Account Management' (Success & Failure).
      2. Audit Tracking Processes: Select Detailed Tracking -> Process Creation (Success), Process Termination (Success).
      3. Audit Logon / Logoff: Select Logon / Logoff -> Configure Logon (Success & Failure), Audit Logoff (Success), Network Policy Server (Success & Failure), Other Logon / Logoff Events (Success).
      4. Audit Scheduled Tasks: Select Object Access -> Other Object Access Events (Success).
      5. Audit Local Policy Changes: Select Policy Change -> Authentication Policy Change (Success), Authorization Policy Change (Success)
      6. Audit System Events: Select System -> Security State Change (Success)
        Member Server Audit Policies 2k8

  6. Audit Polices required For Windows Member Server Auditing (for 2k3 and below)
    1. Computer Configuration|Windows Settings|Security Settings|Local Polices|Audit Policy
      1. Audit Logon / Logoff: Configure Logon Events (Success & Failure).
      2. Audit Local User, Group, Computer: Configure Account Management (Success & Failure).
      3. Audit Tracking Processes: Configure Process Tracking (Success).
      4. Audit Scheduled Tasks: Configure Object Access (Success).
      5. Audit Local Policy Changes: Configure Policy Change (Success).
      6. Audit System Events: Configure System Events (Success).
    Member Server Audit Policies 2k3
  7. Force Advanced Audit Policy
    1. Computer Configuration|Windows Settings|Security Settings|Local Polices|Security Options
    2. Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings.
    Force Advanced Audit Policy
  8. Remove “Apply Group Policy” privilege for Authenticated Users in the above created GPO, follow the steps to do the same.
    1. Get the GUID value for "ADAuditPlusMSPolicy"
      1. Open GPMC, click on the "ADAuditPlusMSPolicy"
      2. Click on the "Details" tab(right side) 
      3. Note the unique id value of "Unique ID"
    2. Remove "Apply Group Policy" privilege for Authenticated Users
      1. Open "dsa.msc"; Start -> Run -> dsa.msc
      2. "Domain" -> System -> Policies -> "Unique ID"
      3. Right click the "Unique ID" -> Security tab -> Advanced
      4. Remove "Allow" for "Apply Group Policy"
    Apply Group Policy Privilege
  9. Create a new Global Security Group and add the Member Servers to be audited in that group.
    1. Open ADUC|Create a new Global Security Group “ADAuditPlusMS” . Add configured Member Servers into a member of the above created group.
    Workstation Group Add
  10. Add the  above group “ADAuditPlusMS “ into the "Security Filtering" settings of “ADAuditPlusMSPolicy” GPO.
    11. Member Server Security Filtering GPO
    Copyright © 2017, ZOHO Corp. All Rights Reserved.
    ManageEngine