Enabling advanced security audit policies
As we have seen previously, for successful auditing, we need to have a SACL configured for the relevant AD objects. If there is no SACL entry, no events will be generated against that object. In order to configure the SACL, we need Domain Admin or Enterprise Admin privileges. To add a SACL entry, perform the following steps:
- Open AD Users and Computers.
- Click on View | Advanced Features.
- Right-click on the OU or the object that you'd like to enable auditing for. Then click on Properties. In my example, I am using the root container, as I wish to enable it globally.
- Click on the Security tab and then on Advanced.
- Click on the Auditing tab and then click on the Add button to add a new security principle to the SACL. In our scenario, I am using Everyone as I'd like to audit everything.
- For Type, I have selected the Success event type. Also, I've applied it to This object and all descendant...
