How to Enable and Disable Global Audit Policy

Posted on by

Active Directory Domain Services (AD DS) auditing in Windows Server 2008 haschanged significantly from previous versions of Windows Server. Microsoft introducedmore granular auditing capabilities in Windows Server 2008. In addition, AD DSauditing in Windows Server 2008 can be configured to log old and new values whenchanges to objects and their attributes are made.

Enable the Global Audit Policy

Enable the Global Audit Policy by Using the Windows Interface

To enable the global audit policy by using the Windows interface, perform the following

steps:

1. Log on to a domain controller or a member computer that has Windows Server

2008 Remote Server Administration Tools (RSAT) installed.

2. Click Start, click Administrative Tools, and then click Group Policy

Management.

3. In the console tree of the Group Policy Management console, expand the Forest node, expand the Domains node, expand the node for the domain in which you want to configure auditing, and then expand the Domain Controllers node.

4. Right-click the Default Domain Controllers Policy, shown in Figure 1, and click Edit.

5. In the console tree of the Group Policy Management Editor, expand the Computer Configuration node, expand the Policies node, expand the Windows Settings node, expand the Security Settings node, expand the Local Policies node, and select the Audit Policy node.

6. In the details pane, right-click Audit directory service access, shown in Figure 2, and click Properties.

Group Policy Management console

Group Policy Management console

Group Policy Management Editor

Group Policy Management Editor

7. On the Audit directory service access page, select Define these policy settings.

8. As shown in Figure 3, to audit successful directory services access attempts, select Success. To audit failed directory services access  attempts, select Failed. Click OK.

8. As shown in Figure 13.3, to audit successful directory services access attempts,select Success. To audit failed directory services access attempts, select Failed.Click OK.

Close the Group Policy Object Editor

Close the Group Policy Object Editor

Enable the Global Audit Policy by Using the Command Line

To enable the global audit policy by using the command line, perform the following

steps:

1. Log on to a domain controller.

2. Click Start, and then click Command Prompt.

3. To enable the auditing of successful attempts, in the Command Prompt window, type the following command, as shown in Figure 13.4, and then press Enter.

auditpol /set /category:”DS Access” /success:enable

4. To enable the auditing of failed attempts, in the Command Prompt window type the following command, as shown in Figure 4, and then press Enter.

auditpol /set /category:”DS Access” /failure:enable

Enabling the global audit policy using the command line

Enabling the global audit policy using the command line

Disable the Global Audit Policy by Using the Windows Interface

To disable the global audit policy by using the Windows interface, perform the following steps:

1. Log on to a domain controller or a member computer that has Windows Server 2008 RSAT installed.

2. Click Start, click Administrative Tools, and then click Group Policy Management.

3. In the console tree of the Group Policy Management console, expand the forest node, expand the domains node, expand the node for the domain in which you want to configure auditing, and then expand the Domain Controllers node.

4. Right-click the Default Domain Controllers Policy, and click Edit.

5. In the console tree of the Group Policy Management Editor, expand the Computer Configuration node, expand the Policies node, expand the Windows Settings node, expand the Security Settings node, expand the Local Policies node, and select the Audit Policy node.

6. In the details pane, right-click Audit directory service access and click Properties.

7. On the Audit directory service access Properties page, shown in Figure 5, deselect Define these policy settings.

Audit directory service access Properties page.

Audit directory service access Properties page.

8. Close the Group Policy Object Editor.

Disable the Global Audit Policy by Using the Command Line

1. Log on to a domain controller.

2. Click Start, and then click Command Prompt.

3. To disable the auditing of successful attempts, in the Command Prompt window, type the following command and then press Enter:

auditpol /set /category:”DS Access” /success:disable

4. To disable the auditing of failed attempts, in the Command Prompt window type the following command as shown in Figure 6, and then press Enter:

auditpol /set /category:”DS Access” /failure:disable

Disabling the global audit policy using the command line

Disabling the global audit policy using the command line

5. Close the Command Prompt window.

About these ads