How to Configure Active Directory Auditing on Windows Server 2012 R2
Active Directory auditing provides visibility into who is making changes to directory objects, when those changes occur, and what the values were before and after the change. Comprehensive AD auditing is essential for security compliance, forensic investigation, and change management. Windows Server 2012 R2 includes advanced audit policy subcategories, Directory Services change auditing, and the ability to capture old and new values for modified attributes — features far more granular than the legacy basic audit policies available in earlier Windows versions. This guide covers configuring complete AD auditing through Group Policy and verifying audit event generation.
Prerequisites
Auditing configuration requires Domain Admin or Group Policy creator rights. The Advanced Audit Policy Configuration settings require Windows Server 2008 R2 or later domain controllers. Ensure the Security event log size is configured large enough to retain sufficient audit history before audit policies are enabled. You should also consider a Security Information and Event Management (SIEM) solution to aggregate and retain logs long-term.
Import-Module GroupPolicyUnderstanding Audit Policy Subcategories
Windows Server 2012 R2 uses Advanced Audit Policy Configuration, which provides 53 specific subcategories versus the 9 basic categories. For Active Directory auditing, the key subcategories are:
Audit Directory Service Access generates events when an AD object is accessed. Audit Directory Service Changes generates events when an AD object is created, modified, moved, or deleted — crucially, this subcategory captures old and new values. Audit Directory Service Replication audits replication events. Account Logon subcategories (Kerberos Authentication Service, Kerberos Service Ticket Operations) audit authentication events. Account Management subcategories audit user, group, and computer account changes.
Configuring Advanced Audit Policies via GPO
Create a dedicated GPO for Domain Controller audit policy and link it to the Domain Controllers OU:
# Create and link the audit GPO to Domain Controllers OU
New-GPO -Name "DC-AdvancedAuditPolicy" -Domain "contoso.com"
New-GPLink -Name "DC-AdvancedAuditPolicy" `
-Target "OU=Domain Controllers,DC=contoso,DC=com" `
-Enforced Yes `
-Order 1In the Group Policy Object Editor, navigate to Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies. Configure the following subcategories:
Under Account Logon: Audit Kerberos Authentication Service (Success, Failure), Audit Kerberos Service Ticket Operations (Success, Failure). Under Account Management: Audit Computer Account Management (Success, Failure), Audit Distribution Group Management (Success, Failure), Audit Other Account Management Events (Success, Failure), Audit Security Group Management (Success, Failure), Audit User Account Management (Success, Failure). Under DS Access: Audit Directory Service Access (Success, Failure), Audit Directory Service Changes (Success), Audit Directory Service Replication (Failure).
These settings can also be applied using auditpol.exe from a script or startup script within the GPO:
# Configure advanced audit policy subcategories
auditpol /set /subcategory:"Kerberos Authentication Service" /success:enable /failure:enable
auditpol /set /subcategory:"Kerberos Service Ticket Operations" /success:enable /failure:enable
auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable
auditpol /set /subcategory:"Security Group Management" /success:enable /failure:enable
auditpol /set /subcategory:"Computer Account Management" /success:enable /failure:enable
auditpol /set /subcategory:"Directory Service Access" /success:enable /failure:enable
auditpol /set /subcategory:"Directory Service Changes" /success:enable
auditpol /set /subcategory:"Logon" /success:enable /failure:enable
auditpol /set /subcategory:"Account Lockout" /success:enable /failure:enable
auditpol /set /subcategory:"Special Logon" /success:enable# Verify current audit policy settings
auditpol /get /category:*Enabling Directory Services Change Auditing on AD Objects
Even with the GPO subcategory enabled, you must also configure a System Access Control List (SACL) on the AD objects you want to audit. By default, the Default Domain Controllers Policy includes a SACL on the domain root for “Everyone” to generate Directory Service Change events. Verify this is in place:
# Check the default SACL on the domain object
# This is done via ADSI Edit or dsacls
dsacls "DC=contoso,DC=com" | findstr /i "audit"To add auditing to a specific OU using dsacls:
# Enable auditing of all changes to objects in the Finance OU by all users
dsacls "OU=Finance,OU=Contoso,DC=contoso,DC=com" /I:T `
/AUDIT:SA "Everyone" /(WP)(WD)(WO)(CC)(DC)
Configuring Security Event Log Size
Increase the Security event log size on domain controllers to ensure logs are retained long enough for review:
# Set Security log maximum size to 1GB and retention to overwrite as needed
# Configure via GPO: Computer Configuration > Windows Settings > Security Settings
# > Event Log > Maximum security log size = 1048576 KB
# Or set directly on a DC (for immediate effect)
wevtutil sl Security /ms:1073741824
wevtutil sl Security /rt:falseQuerying Audit Events with PowerShell
Use Get-WinEvent to query the Security event log for specific audit events:
# Find all user account creation events (Event ID 4720)
Get-WinEvent -LogName Security -FilterXPath `
"*[System[EventID=4720] and System[TimeCreated[timediff(@SystemTime) <= 86400000]]]" |
Select-Object TimeCreated, Message |
Format-List
# Find all user account deletions (Event ID 4726)
Get-WinEvent -LogName Security |
Where-Object {$_.Id -eq 4726} |
Select-Object TimeCreated, @{N="Message";E={$_.Message}} |
Format-List
# Find failed logon attempts (Event ID 4625)
Get-WinEvent -LogName Security -FilterHashtable @{
LogName = "Security"
Id = 4625
StartTime = (Get-Date).AddHours(-24)
} | ForEach-Object {
$xml = [xml]$_.ToXml()
[PSCustomObject]@{
Time = $_.TimeCreated
Account = $xml.Event.EventData.Data |
Where-Object {$_.Name -eq "TargetUserName"} |
Select-Object -ExpandProperty "#text"
Source = $xml.Event.EventData.Data |
Where-Object {$_.Name -eq "IpAddress"} |
Select-Object -ExpandProperty "#text"
}
}# Key AD audit Event IDs reference
# 4720 - User account created
# 4722 - User account enabled
# 4723 - Password change attempted
# 4724 - Password reset attempted
# 4725 - User account disabled
# 4726 - User account deleted
# 4728 - Member added to a security group
# 4729 - Member removed from a security group
# 4732 - Member added to a local group
# 4740 - User account locked out
# 4756 - Member added to a universal group
# 5136 - Directory service object was modified
# 5137 - Directory service object was created
# 5138 - Directory service object was undeleted
# 5139 - Directory service object was moved
# 5141 - Directory service object was deletedAuditing AD Object Changes (Event 5136)
Event 5136 captures before and after values for modified AD object attributes when Directory Service Changes auditing is enabled. Query for specific attribute changes:
# Find all Directory Service Changes in the last hour
Get-WinEvent -LogName "Directory Service" -FilterHashtable @{
LogName = "Security"
Id = 5136
StartTime = (Get-Date).AddHours(-1)
} | Select-Object TimeCreated, Message | Format-ListSummary
Comprehensive Active Directory auditing on Windows Server 2012 R2 requires configuring Advanced Audit Policy subcategories via Group Policy, ensuring SACLs are in place on AD objects, and sizing the Security event log appropriately. The combination of Directory Service Changes auditing (for before/after attribute values) and Account Management auditing (for account lifecycle events) provides a complete picture of administrative activity in the directory. Regular review of audit logs, ideally through a SIEM integration, is essential for detecting unauthorised changes, privilege escalation, and compliance reporting.
