Menu

Search

LOGbinder Support


7 . Audit Policy for Active Directory Changes


RandyFranklinSmith
How To

 Here is the minimum audit policy necessary to enable on domain controllers in order to generate all of the events included by the “Builtin - Security: Active Directory Changes” managed filter and needed by the Splunk App for LOGbinder if you are using that.

In the Default Domain Controllers Policy GPO make the following changes

Path

Policy

Setting

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options

Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings.

Enabled

Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration

Security System Extension

Authorization Policy Change

Authentication Policy Change

Audit Policy Change

User Account Management

Security Group Management

Other Account Management Events

Other Policy Change Events

Directory Service Replication

Directory Service Changes

Success

(Its ok to include Failure but most of these categories don’t log any failures)

You still need to configure other group policy settings to ensure your domain controllers connect to your collector and that winrm can access the Security Log. See


On a scale of 1-5, please rate the helpfulness of this article


Not Helpful
Very Helpful
Optionally provide private feedback to help us improve this article...

Thank you for your feedback!


Still have questions - Submit a new ticket