Hi, my name is Avril Salter and welcome to this short clip. Today we are going to take a look at how I could set my audit policy in Active Directory. I have remote logged in to my domain controller and I have signed on with the domain administrator credentials. What I am going to do is pull up my Group Policy Management console and I do that by selecting my Administrative Tools and here you can see Group Policy Management. If you are not familiar with Group Policy Management I do recommend you become very familiar with this console because it is extremely useful in accessing most of your security information.
What we are going to do is we have selected the Forest and into the Domain, Salter.com, and I am going to right click the Default Domain Policy and select Edit. That brings me to my Group Policy Management Editor and I want to go under Computer Configuration, selecting Policies/Windows Settings/Security Settings. Here you can see I have a huge number of security settings that I can look at. What I need to do is under Local Policies and here you can see under Audit Policy.
For this illustration the Auditing Policy I want to edit is the second one, Audit account management. By double clicking on this it will bring up the management properties screen. You can see I can select the security settings and I can select Success and Failure, or just Success, or just Failure. In this illustration I am looking to audit the effectiveness of my administrative team and my help desk staff. So, what I want to track is both successes and failures. The Audit account management, what that is going to do is going to track changes to any user accounts or groups. I am going to select Apply and OK. You can see here the other types of events that I could also be capturing in my log. For our purposes today we are just going to look at the auditing of the account management.
Now I am actually going to go in and change one of the user accounts and see if that event gets logged. To do that we are going to go into Administrative Tools and select Active Directory Users and Computers and I am going to edit one of these users. Let’s edit Debbie, here I am going to type in her name and she is a Lead Engineer. I shall apply these changes. Now let’s take a look at our event viewer. We select that by going through Administrative Tools and into Event Viewer. I will open up the Windows Logs, here is my Security log. Here you can see I have a user account management event that has just occurred. If we go down here we can see that the account was changed and if we look at the details we can see it was dmonks that was changed and that this change was successful.
I have shown you how to set up an Audit Policy inside Active Directory to help create events which go into your security log. I hope you found this of value. Thank you for joining me.