How to Configure Active Directory Audit Policy on Windows Server 2019

Introduction to Active Directory Auditing

Active Directory is the authentication and authorization backbone of most Windows enterprise environments. Any changes to AD objects—user creations, group membership changes, permission modifications, login failures—can indicate insider threats, compromised accounts, or misconfigurations. Windows Server 2019 provides granular auditing capabilities through Advanced Audit Policy that let you capture exactly what changed, who changed it, when, and from where. This tutorial covers configuring a comprehensive AD audit policy using Group Policy and PowerShell, and explains how to view the resulting events in the Security event log.

Understanding Audit Policy vs Advanced Audit Policy

Windows has two audit configuration mechanisms. The legacy Audit Policy under Security Settings > Local Policies > Audit Policy provides nine broad categories. The newer Advanced Audit Policy Configuration under Security Settings > Advanced Audit Policy Configuration provides 53 granular subcategories. Always use Advanced Audit Policy on Windows Server 2019—it is more precise and the legacy categories can conflict with advanced settings. When both are configured, Advanced Audit Policy takes precedence.

auditpol /get /category:*

This command shows all current audit policy settings and whether they are configured for success, failure, both, or no auditing.

Audit Categories Relevant to Active Directory

For comprehensive Active Directory auditing, focus on these Advanced Audit Policy subcategories: Account Management (User Account Management, Computer Account Management, Security Group Management, Distribution Group Management), DS Access (Directory Service Changes, Directory Service Access, Directory Service Replication), Account Logon (Kerberos Authentication Service, Credential Validation), and Logon/Logoff (Logon, Logoff, Account Lockout, Special Logon).

Configuring Audit Policy via Group Policy

Create a dedicated GPO for domain controller auditing and link it to the Domain Controllers OU. Open Group Policy Management, right-click the Domain Controllers OU, and click Create a GPO in this domain and link it here. Name it “DC-Audit-Policy” and edit it. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies.

gpmc.msc

Configuring Account Management Auditing

Under Audit Policies > Account Management, enable auditing for all subcategories. For each subcategory, double-click, check Configure the following audit events, and enable both Success and Failure where applicable.

Key subcategories and their Windows Event IDs: User Account Management (4720 user created, 4722 enabled, 4723 password change attempt, 4724 password reset, 4725 disabled, 4726 deleted, 4738 changed), Security Group Management (4727 group created, 4728 member added, 4729 member removed, 4730 group deleted), Computer Account Management (4741 computer created, 4742 computer changed, 4743 computer deleted).

auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable
auditpol /set /subcategory:"Computer Account Management" /success:enable /failure:enable
auditpol /set /subcategory:"Security Group Management" /success:enable /failure:enable
auditpol /set /subcategory:"Distribution Group Management" /success:enable /failure:enable

Configuring Directory Service Auditing

Directory Service Changes (Event ID 5136) is the most important subcategory for AD auditing. It captures every attribute-level change to AD objects, recording the old value and new value. Without this, you know that a change occurred but not what was changed. Enable Directory Service Changes for Success auditing.

auditpol /set /subcategory:"Directory Service Changes" /success:enable
auditpol /set /subcategory:"Directory Service Access" /success:enable /failure:enable
auditpol /set /subcategory:"Directory Service Replication" /success:enable /failure:enable
auditpol /set /subcategory:"Detailed Directory Service Replication" /success:enable /failure:enable

Configuring Logon and Account Logon Auditing

Account lockouts (Event 4740) and failed logons (Event 4625) are critical for detecting brute force attacks and identifying locked accounts. Successful logons (Event 4624) combined with Kerberos ticket requests (Event 4768, 4769) provide a complete picture of authentication activity.

auditpol /set /subcategory:"Logon" /success:enable /failure:enable
auditpol /set /subcategory:"Logoff" /success:enable
auditpol /set /subcategory:"Account Lockout" /success:enable /failure:enable
auditpol /set /subcategory:"Special Logon" /success:enable
auditpol /set /subcategory:"Kerberos Authentication Service" /success:enable /failure:enable
auditpol /set /subcategory:"Kerberos Service Ticket Operations" /success:enable /failure:enable
auditpol /set /subcategory:"Credential Validation" /success:enable /failure:enable

Enabling Object-Level SACL Auditing for AD Objects

Configuring the audit policy is necessary but not sufficient for Directory Service Access and Change events. You must also configure System Access Control Lists (SACLs) on the AD objects you want to audit. Without SACLs on the objects, the policy setting has no effect. Use ADSI Edit or Active Directory Users and Computers to set SACLs.

To enable auditing on the entire domain for all objects, use ADSI Edit to connect to the Default Naming Context. Right-click your domain object, select Properties, Security tab, Advanced, then the Auditing tab. Add the “Everyone” principal and select “This object and all descendant objects” scope. Check “Write all properties” and “Delete” under both Successful and Failed operations.

adsiedit.msc

Alternatively, use the Set-Acl PowerShell cmdlet with the AD: PSDrive to set SACLs programmatically on specific OUs.

Configuring the Security Event Log Size

Active Directory auditing generates substantial event log volume. Increase the Security event log maximum size on all domain controllers. A minimum of 1 GB is recommended; 4 GB or more is better for environments with detailed auditing. Configure this through Group Policy or directly.

wevtutil sl Security /ms:4294967296

That sets the Security log to 4 GB (4,294,967,296 bytes). Also configure the log retention policy to Overwrite as needed or Archive log when full to ensure no events are lost.

In Group Policy, set this at Computer Configuration > Policies > Windows Settings > Security Settings > Event Log > Maximum security log size and Retention method for security log.

Querying Audit Events with PowerShell

Use Get-WinEvent to search the Security event log for specific audit events. The following examples show how to find recent user creation and password change events.

# Find all user account creations in the last 24 hours
Get-WinEvent -FilterHashtable @{
    LogName = 'Security'
    Id = 4720
    StartTime = (Get-Date).AddHours(-24)
} | Select-Object TimeCreated, Message | Format-List

# Find all failed logon attempts
Get-WinEvent -FilterHashtable @{
    LogName = 'Security'
    Id = 4625
    StartTime = (Get-Date).AddHours(-1)
} | ForEach-Object {
    $xml = [xml]$_.ToXml()
    [PSCustomObject]@{
        Time = $_.TimeCreated
        TargetAccount = $xml.Event.EventData.Data | Where-Object {$_.Name -eq 'TargetUserName'} | Select-Object -ExpandProperty '#text'
        WorkstationName = $xml.Event.EventData.Data | Where-Object {$_.Name -eq 'WorkstationName'} | Select-Object -ExpandProperty '#text'
        FailureReason = $xml.Event.EventData.Data | Where-Object {$_.Name -eq 'FailureReason'} | Select-Object -ExpandProperty '#text'
    }
}

Monitoring Group Membership Changes

Event ID 4728 indicates a member was added to a security-enabled global group, and 4732 indicates addition to a local group. Monitoring Domain Admins and other privileged group changes is a critical security control.

Get-WinEvent -FilterHashtable @{
    LogName = 'Security'
    Id = @(4728, 4729, 4732, 4733, 4756, 4757)
    StartTime = (Get-Date).AddDays(-7)
} | Select-Object TimeCreated, Id, Message | Format-List

Verifying Audit Policy is Applied

After applying Group Policy, force a refresh on domain controllers and verify the audit settings took effect using auditpol. The output should show Success and Failure configured for each subcategory you enabled.

gpupdate /force
auditpol /get /category:"Account Management","DS Access","Logon/Logoff","Account Logon"

Conclusion

A well-configured Active Directory audit policy is your primary tool for detecting security incidents, investigating breaches, and demonstrating compliance with standards like PCI DSS, HIPAA, and SOC 2. Windows Server 2019’s Advanced Audit Policy Configuration provides the granularity needed to capture meaningful events without overwhelming noise. Pair the audit configuration with a centralized SIEM solution to aggregate logs from all domain controllers and generate alerts on high-value events such as Domain Admin group changes and mass account lockouts.