Step-By-Step Guide to enable

Advanced Security Audit Policy: DS

Access
APRIL 11, 2016 BY DISHAN M. FRANCIS NO COMMENTS

More than any other system active directory in an organization important in security perspecti ve.
Even a small change in Organization’s AD can cause a major business impact. Preventing any
unauthorized access, unplanned change in AD environment should prevent in first place but if similar
thing happened in your AD environment you should have enough information to answer questions
such as what has changed?, when it happened and who did it ?

As you know the computer security threats are changing every day, sometime the default event logs
may not help to answer above questions. Microsoft understand these modern requirements and with
windows 2008 R2 they introduce “Advanced Security Audit Policy”. This give you 53 options to
tune up the auditing requirement and you can collect more in granular level information about your
infrastructure events. It is have 10 categories and in this demo I am going to talk about the “DS
Access” category which is focused on Active Directory Access and Object Modifications.
Advanced Security Audit Policy is need to enable via GPO. These events happens records on
Domain controllers. There for the policy should only target the Domain Controllers. This can enabled
on “Default Domain Controllers Policy” in AD.

Let’s see how to enable this GPO setting.

In my Demo I am using AD server with Windows 2016 TP4.

1) Log in to the Server as Domain Admin
2) Load Group policy management editor using Server Manager > Tools > Group Policy
Management
3) Expand the Domain Controllers OU, then right click on Default Domain Controllers Policy and
edit.
4) Go to Computer Configuration > Policies > Windows Settings > Security Settings >
Advanced Audit Policy Configuration > Audit Policies > DS Access
There are 4 subcategories under DS Access. Let’s see what each and subcategory capable of.

Audit Detailed Directory Service Replication

This security policy setting can be used to generate security audit events with detailed tracking
information about the data that is replicated between domain controllers. This audit subcategory can
be useful to diagnose replication issues.

If its enabled following events will be appear in logs

Event Event message

ID
4928 An Active Directory replica source naming
context was established.
4929 An Active Directory replica source naming
context was removed.
4930 An Active Directory replica source naming
context was modified.
4931 An Active Directory replica destination naming
context was modified.
4934 Attributes of an Active Directory object were
replicated.
4935 Replication failure begins.
4936 Replication failure ends.
4937 A lingering object was removed from a replica.
Audit Directory Service Access
This security policy setting determines whether the operating system generates events when an
Active Directory Domain Services (AD DS) object is accessed.
These events are similar to the Directory Service Access events in previous versions of Windows
Server operating systems.

If its enabled following events will be appear in logs

 Event Event message
ID
4662 An operation was performed
on an object.
Audit Directory Service Changes
This security policy setting determines whether the operating system generates audit events when
changes are made to objects in Active Directory Domain Services (AD DS). The types of changes that
are reported are:
• Create
• Delete
• Modify
• Move
• Undelete
Directory Service Changes auditing, where appropriate, indicates the old and new values of the
changed properties of the objects that were changed.

If its enabled following events will be appear in logs

Event ID Event message

5136 A directory service object was modified.
5137 A directory service object was created.
5138 A directory service object was undeleted.
5139 A directory service object was moved.
5141 A directory service object was deleted.
Audit Directory Service Replication
This security policy setting determines whether the operating system generates audit events when
replication between two domain controllers begins and ends.

If its enabled following events will be appear in logs

 Event ID Event message
4932 Synchronization of a replica of an Active Directory naming context has begun.
4933 Synchronization of a replica of an Active Directory naming context has ended.
According to Microsoft best practices https://technet.microsoft.com/en-us/library/dn487457.aspx i am
going to enable
Audit Directory Service Access
Audit Directory Service Changes

Sub categories for both success and failure events. To do that double click on each subcategory and
enable audit events.
After GPO apply now I can see the new events under logs. For testing I added new GPO under IT OU
and in logs I can see the detail info about the activity.
If any question about the post feel free to ask me on rebeladm@live.com