How to Configure Windows Server 2016 Active Directory Auditing

Active Directory auditing is a critical security practice that allows administrators to track changes and access events within a Windows Server 2016 domain environment. By enabling and configuring audit policies, you can log who made changes to user accounts, group memberships, Group Policy Objects, and other directory objects. This visibility is essential for compliance, incident response, and maintaining the integrity of your Active Directory infrastructure.

Before configuring auditing, it is important to understand the two layers involved: the Advanced Audit Policy Configuration settings and the System Access Control Lists (SACLs) on Active Directory objects. Audit policies define what categories of events are logged, while SACLs define which specific objects trigger those log entries when accessed or modified.

Step 1: Enable Advanced Audit Policy via Group Policy

The recommended approach for configuring auditing in Windows Server 2016 is to use the Advanced Audit Policy Configuration settings found in Group Policy. These provide more granular control than the legacy audit policies.

Open the Group Policy Management Console (GPMC) on your domain controller. Right-click the Default Domain Controllers Policy or create a new GPO linked to the Domain Controllers OU, then click Edit.

Navigate to the following path in the Group Policy Object Editor:

Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies

Here you will find several audit subcategories. For comprehensive Active Directory auditing, enable the following key categories:

Step 2: Configure Account Management Auditing

Under the Account Management node, enable auditing for user account, computer account, and security group changes. These settings capture events such as account creation, deletion, password resets, and group membership changes.

Audit User Account Management: Success, Failure
Audit Computer Account Management: Success, Failure
Audit Security Group Management: Success, Failure
Audit Distribution Group Management: Success, Failure

Step 3: Configure DS Access Auditing

The DS Access category is specifically designed for Active Directory object auditing. It captures changes to directory service objects and replication events.

Audit Directory Service Access: Success, Failure
Audit Directory Service Changes: Success, Failure
Audit Directory Service Replication: Success
Audit Detailed Directory Service Replication: Success

Step 4: Configure Logon and Account Logon Auditing

Tracking authentication events is fundamental to understanding who is accessing the domain. Enable these subcategories under the Logon/Logoff and Account Logon categories:

Audit Logon: Success, Failure
Audit Logoff: Success
Audit Account Lockout: Success, Failure
Audit Kerberos Authentication Service: Success, Failure
Audit Kerberos Service Ticket Operations: Success, Failure

Step 5: Configure Policy Change Auditing

Policy changes, including modifications to audit policies themselves and changes to authentication policies, should be tracked to detect unauthorized configuration alterations.

Audit Audit Policy Change: Success, Failure
Audit Authentication Policy Change: Success
Audit Authorization Policy Change: Success

Step 6: Apply SACLs to Active Directory Objects

Audit policies define the categories to log, but SACLs on the objects determine when the log entries are actually generated. To apply SACLs to all user objects in the domain, use ADSI Edit or the Active Directory Users and Computers console with Advanced Features enabled.

Alternatively, use the built-in auditpol command-line tool to verify current audit settings:

auditpol /get /category:*

To set a specific subcategory from the command line:

auditpol /set /subcategory:"Directory Service Changes" /success:enable /failure:enable

Step 7: Enable Auditing on the Default Domain Controllers Policy

After configuring the advanced audit policy, force a Group Policy refresh on your domain controllers to apply the settings immediately:

gpupdate /force

Verify the policy was applied correctly by running:

gpresult /r /scope computer

Step 8: Review Audit Logs in Event Viewer

All audited events are written to the Security event log on the domain controller that processed the event. Open Event Viewer and navigate to Windows Logs > Security. Key event IDs to monitor include:

Event ID 4720 - A user account was created
Event ID 4726 - A user account was deleted
Event ID 4740 - A user account was locked out
Event ID 4756 - A member was added to a security-enabled universal group
Event ID 5136 - A directory service object was modified
Event ID 5141 - A directory service object was deleted

Step 9: Use PowerShell to Query Audit Events

PowerShell provides a powerful way to filter and export Security event log entries. To retrieve all directory service change events from the past 24 hours:

Get-WinEvent -FilterHashtable @{
    LogName = 'Security'
    Id = 5136
    StartTime = (Get-Date).AddHours(-24)
} | Select-Object TimeCreated, Message | Format-List

Step 10: Configure Log Retention and Archiving

Active Directory auditing generates significant log volume. Ensure your Security event log is large enough to retain meaningful history. In Event Viewer, right-click the Security log, select Properties, and set the maximum log size to at least 1 GB for busy domain controllers. Configure log archiving to a central SIEM or log management system for long-term retention.

wevtutil sl Security /ms:1073741824

Active Directory auditing in Windows Server 2016 provides the visibility needed to detect unauthorized changes, investigate security incidents, and meet compliance requirements. By combining advanced audit policies with proper SACL configuration and log management, you establish a robust audit trail for your entire directory environment.