How do I audit Active Directory?
You can configure Active Directory (AD) auditing to produce successful and
failed entries in the Directory Service (DS) event log.
- Start the Microsoft Management Console (MMC) Active Directory Users and
Computers snap-in. (Select Programs, Administrative Tools, Active Directory
Users and Computers from the Start menu.)
- From the View menu, select Advanced Features.
- Expand the domain, right-click the Domain Controllers container, and
select Properties from the context menu.
- Select the Group Policy tab.
- Select Default Domain Controllers Policy, and click Edit.
- Expand the Computer Configuration branch, the Windows Settings branch, the
Security Settings branch, and the Local Policies branch.
- Select Audit Policy.
- The rightmost window will show auditing levels. Double-click Audit
Directory Service Access.
- Select the relevant checkboxes (e.g., Audit successful attempts, Audit
failed attempts), as the Screen shows. Click OK.
- Close the Group Policy window.
- In the main Domain Controllers Properties dialog box, click OK.
- Close the Active Directory Users and Computers MMC snap-in.
You can use Event Viewer to view the logs in the Security log. Because domain
controllers poll for policy changes every 5 minutes, the policy change might
take as long as 5 minutes to take effect. Other domain controllers in the
enterprise receive the changes after the 5-minute interval, plus replication