Professional Documents
Culture Documents
View Active Directory (AD) Event Logs and what they track, will get you
insights into AD’s health status.
AD event logs also help you identify potential security threats before they
happen.
You’ll always see this instance of event ID 4769, which you can ignore, after
an instance of event ID 4768.
The workstation next must obtain a service ticket for itself (i.e., a service ticket
that authenticates a user to his workstation and allows him to log on). This
event shows up as another instance of event ID 4769. The Service Name field
in event ID 4769 identifies the service for which the ticket was granted.
That isn’t the end of event ID 4769. You’ll see additional instances for each
server that user accesses after logging on to his workstation.
Imagine that user's logon script or persistent drive mappings initiate
connections to a Files shared folder on a File server.
The DC will log event ID 4769 when user workstation obtains a service ticket to
File Share.
The Audit account logon event policy On DCs, tracks all attempts to log on
with a domain user account, regardless of where the attempt originates.
If you enable this policy on a workstation or member server, it will record any
attempts to log on by using a local account stored in that computer’s SAM.
Audit logon events records access to after the user was authenticated (after
audit account logon events)
Audit logon events records a lot more information (like when the user
disconnected from the server and when logged off).
Events logs..
4624 A user successfully logged on to a computer.
4625 Logon failure. A logon attempt was made with an unknown user name or
a known user name with a bad password.
4634 The logoff process was completed for a user.
4647 A user initiated the logoff process.
4648 A user successfully logged on to a computer using explicit credentials
while already logged on as a different user.
4779 A user disconnected a terminal server session without logging off.
Audit Directory Service Access is a low-level auditing for all types of objects in
AD. Directory Service Access events not only identify the object that was
accessed and by whom but also document exactly which object
properties were accessed.
How to activate?
First, enable the audit policy at the system level.
1- Open AD Users and Computers MMC (DSA.MSC).
2- Right-click the Domain or the target AD Object > click Properties
Move User
You can use the Object Access Security log category to audit any and all
attempts to access files and other Windows objects like(track Success and
Failure access attempts on folders, services, registry keys, and printer objects).
The only auditable objects not covered by this category are AD objects (OU,
User, Group and Computer), which you can track by using the Directory
Service Access category.
Audit Policy Change records changes in user rights assignment policy, audit
policy, account policy, or trust policy.
This audit category, privilege refers to most of the user rights that you find in
the Local Security Policy under Security Settings\Local Policies\User Rights
Assignment
Audit process tracking helps track any program that is executed, either by
the system or by end users.
By associating this with other policies such as Audit logon and Audit object
access policies, we can get a detailed picture of users' activities in the
domain.
Subcategories Comment
To determine the logon session during which a process started, look at the
Logon ID description field in event ID 4688, then find the preceding event ID
4624 instance that has the same Logon ID.
Check the Logon Type and Logon Process fields to determine whether the
process was started during an interactive or Remote Desktop session (or
some other type of logon session).
Audits when a user restarts or shuts down the computer or when an event
that affects either the security log or the system security occurs.
Policy Conflicts
Microsoft advises organizations not to use both the basic audit policy settings
and the advanced settings simultaneously for same category.
To prevent overwrites, you can increase the maximum size of the Security
event log and set retention method for this log to “Overwrite events as
needed”.