How do I audit Active Directory?

You can configure Active Directory (AD) auditing to produce successful and failed entries in the Directory Service (DS) event log.

  1. Start the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in. (Select Programs, Administrative Tools, Active Directory Users and Computers from the Start menu.)
  2. From the View menu, select Advanced Features.
  3. Expand the domain, right-click the Domain Controllers container, and select Properties from the context menu.
  4. Select the Group Policy tab.
  5. Select Default Domain Controllers Policy, and click Edit.
  6. Expand the Computer Configuration branch, the Windows Settings branch, the Security Settings branch, and the Local Policies branch.
  7. Select Audit Policy.
  8. The rightmost window will show auditing levels. Double-click Audit Directory Service Access.
  9. Select the relevant checkboxes (e.g., Audit successful attempts, Audit failed attempts), as the Screen shows. Click OK.

  10. Close the Group Policy window.
  11. In the main Domain Controllers Properties dialog box, click OK.
  12. Close the Active Directory Users and Computers MMC snap-in.

You can use Event Viewer to view the logs in the Security log. Because domain controllers poll for policy changes every 5 minutes, the policy change might take as long as 5 minutes to take effect. Other domain controllers in the enterprise receive the changes after the 5-minute interval, plus replication time.

1st Security Agent

Mail Bomber

Security Administrator

PC Lockup

Access Lock

Access Administrator Pro

ABC Security Protector

1st Security Agent

Mail Bomber

Security Administrator for Windows

PC Lockup

Access Lock

Access Administrator

ABC Security Protector

http//www.softheap.com