Janik von Rotz

3 min read

Monitor and audit Active Directory user and group management

Traceability is key when collaborating in the Active Directory (AD). Multiple admins changing and updating permissions and policies makes it difficult being compliant with the company’s policies. It is important to monitor mutations in the directory. By default audit policies are disabled for Domain Controllers (DC) and must be enabled explicitly. Enabling auditing for the DCs is quite easy, querying the logs for a specific event is a bit more difficult.

In this guide you’ll learn how to enable auditing for a specific case and how to query the audit logs for a specific event.

The tutorial assumes that there is a:

Enable Auditing

Let’s start by have a look on the already enabled audit categories.

The command returns a list of audit categories and its status. These settings have been enabled by either the auditpol tool or via GPOs.

In our scenario we would like to track management of users and groups, which is part of the Audit Account Management. To enable this audit category create a new group policiy for the DC.

If you open the security event log on the DC there should be events logging account management mutations.

Source: Microsoft Docs - Monitoring Active Directory for Signs of Compromise

Query Audit Logs

As mentioned querying the event log is a bit more difficult. The event log viewer offers limited features for filtering events and searching by specific keywords. In contrast with PowerShell it is possible to filter and search the event log by any property and keyword.

Here is a simple example:

$LogName = "security"
$StartTime = Get-Date("2017-10-12 12:50")
$EndTime = Get-Date("2017-10-12 13:00")
$SearchKey = "username"

Get-WinEvent -FilterHashtable @{LogName=$LogName; StartTime=$StartTime;EndTime=$EndTime} | Where-Object {$_.Message -match $SearchKey} | select Id, TimeCreated, Message | Format-List

Source: Hey, Scripting Guy! Blog - Filtering Event Log Events with PowerShell

Categories: Microsoft infrastructure
Tags: audit , compliance , group policy , monitoring , security , traceability
Improve this page
Show statistic for this page