Enabling Active Directory monitoring

You must configure your Active Directory environment to enable the product to monitor the user objects of the Active Directory. Perform the following configurations on all the domain controllers for their operating systems to generate and retain as events the modifications to the user objects of the Active Directory. The product can then monitor and process the events, and display vital information related to service accounts and their activity in the Active Directory.

Configuring the security event log

You must configure the security event log to ensure that Active Directory events remain in the event log until the product monitors the events and processes them.

Set the maximum size of the Security Event Log to no less than 10 MB, and set the retention method to Overwrite events as needed.

To configure the security event log:

  1. Log in to a domain controller where you need to configure using a user account with domain administrator privileges.

  2. Open command prompt, type gpmc.msc, then press Enterto start the Group Policy Management Console.

  3. Expand Forest > Domains > domainName > Domain Controllers.

  4. Right-click Default Domain Controllers Policy, then select Edit.

    Making this change to the default domain controllers policy is important because a GPO linked to the domain controller (DC) organizational unit (OU) with a higher link order can override this configuration when you restart the computer or run gpUpdate again. If your corporate standards do not allow you to modify the default domain controllers policy, create a GPO for your product settings, add these settings to the GPO, and set it to have the highest link order in the Domain Controllers OU.

  5. Expand Computer configuration > Policies > Windows Settings > Security Settings.

  6. Click Event Log, then set Maximum security log size to a value greater than or equal to 10240 KB (10 MB).

  7. Set the value of Retention method for security log to Overwrite events as needed.

  8. Return to the command prompt, type gpUpdate, then press Enter.

To verify the configuration and ensure Active Directory events are not discarded before processing:

  1. Open command prompt, type eventvwr, then press Enterto start the Event Viewer.

  2. Expand Windows logs, right-click Security, then select Properties.

  3. Verify that the maximum log size is greater than or equal to 10240 KB (10 MB) and the retention method is set to the value of Overwrite events as needed.

Configuring Active Directory auditing

You must configure Active Directory Auditing to ensure that the Active Directory events are logged in the security event log.

Configure the Default Domain Controllers Policy GPO with Audit Directory Service Access set to monitor both success and failure events

To verify or set this configuration:

  1. Log in to a computer in the domain you want to configure using a user account with domain administrator privileges.

  2. Open command prompt, type gpmc.msc, then press Enterto start the Group Policy Management Console.

  3. Expand Forest > Domains > domainName > Domain Controllers.

  4. Right-click Default Domain Controllers Policy, then select Edit.

    Making this change to the default domain controllers policy is important because a GPO linked to the domain controller (DC) organizational unit (OU) with a higher link order can override this configuration when you restart the computer or run gpUpdate again. If your corporate standards do not allow you to modify the default domain controllers policy, create a GPO for your product settings, add these settings to the GPO, and set it to have the highest link order in the Domain Controllers OU.

  5. Expand Computer configuration > Policies > Windows Settings > Security Settings.

  6. Complete the following steps:

    1. In Security Settings, expand Advanced Audit Policy Configuration > Audit Policies.

    2. For ADAAD and ADAGP, click DS Access.

    3. For each subcategory, configure or verify the following selections:

      • Configure the following audit events

      • Success

      • Failure

    4. For ADAAD only, define the same configuration for all subcategories of Account Management and Policy Change.

  7. Complete the following steps:

    1. In Security Settings, expand Local Policies and click Audit Policy.

    2. For ADAAD and ADAGP, click Audit directory service access.

    3. Configure or verify the following selections:

      • Define these policy settings

      • Success

      • Failure

      • For CGAD only, configure or verify the same selections for Audit account management and Audit policy change.

  8. Return to the command prompt, type gpUpdate and press Enter.

Configuring User and Group auditing

This configuration enables auditing of user logons and logoffs (by both local users and Active Directory users) and local user and group settings. You can configure user and group auditing manually.

To manually configure user and group auditing, complete the following steps.

To configure user and group auditing:

  1. Log in to a computer in the domain you want to configure using a user account with domain administrator privileges.

  2. Open the Microsoft Management Console, then click File > Add/Remove Snap-in.

  3. Click Group Policy Management Editor, then click Add.

  4. On the Select Group Policy Object window, click Browse.

  5. Click Domain Controllers.FQDN, where FQDN is the Fully Qualified Domain Name for the domain controller computer.

  6. Click Add.

  7. Click Default Domain Controllers Policy, then click OK.

  8. Click Finish, then click OK.

  9. In the Microsoft Management Console, expand Default Domain Controllers Policy FQDN > Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Audit Policy.

  10. Under Audit Account Logon Events, click Define these policy settings, then select Success and Failure.

  11. Under Audit Logon Events, click Define these policy settings, then select Success and Failure.

  12. In the Microsoft Management Console, expand Default Domain Controllers Policy FQDN > Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Logon/Logoff.

  13. Under Audit Logon, click Audit Logon, then select Success and Failure.

  14. Under Audit Logff, click Audit Logoff, then select Success and Failure.

  15. To update Group Policy settings, open a command prompt and type gpupdate /force.

Configuring Active Directory Security Access Control Lists

The Security Access Control List (SACL) describes the objects and operations to monitor. You must configure the SACL to generate events for operations that can result in, or are related to, changes in GPO data stored in Active Directory.

To enable the product to monitor all changes of current and future objects in the Active Directory, see Configuring SACLs for the Product for Active Directory

Configuring SACLs for the product in Active Directory

The Security Access Control List (SACL) describes the objects and operations to monitor. You must configure the SACL to generate events for operations that can result in, or are related to, changes in GPO data stored in Active Directory.If you are running the product for Active Directory in your environment, perform the steps in this section. To enable the product to monitor all changes of current and future objects inside Active Directory, you must configure the domain node.

To use adsiedit.msc in Windows Server 2003, you must install the Windows Support Tools. For more information about installing Windows Support Tools, see http://technet.microsoft.com/en-us/library/cc755948%28WS.10%29.aspx.

To verify or set the configuration:

  1. Log in to a computer in the domain you want to configure using a user account with domain administrator privileges.

  2. Open command prompt, type adsiedit.msc, then press Enterto start the ADSI Edit configuration tool.

  3. Right-click ADSI Edit, and then select Connect to.

  4. In the Connection window, ensure that Name is set to Default naming context, and Path points to the domain to configure..

    You must perform Step 5 through Step 12 three times, configuring the connection points for Default naming context, Schema, and Configuration.

  5. In Connection Point, click Select a well known Naming Context, and then select one of the following:

    • On the first time through this step, select Default naming context in the drop-down list.

    • On the second time through this step, select Schema.

    • On the third time through this step, select Configuration.

  6. Click OK, and then expand Default naming context , Schema, or Configuration.

  7. Right-click the node under the connection point (begins with DC= or CN=), then select Properties.

  8. Click the Security tab, then click Advanced > Auditing > Add.

  9. Perform the following steps to configure auditing to enable monitoring of every user:

    1. (Conditional) For Windows Server 2012, click Select a principal.

    2. Specify everyone for Enter the object name to select, then click OK.

    3. (Conditional) For Windows Server 2012, select All for Type.

    4. (Conditional) For Windows Server 2012, in the Permissions list, select the following:

      • Write All Properties

      • Delete

      • Modify Permissions

      • Modify Owner

      • Create All Child Objects

      • Delete All Child Objects

      When you create or delete child objects, the nodes associated with the child objects are also created or deleted automatically.

    5. (Conditional) For versions of Windows Server other than 2012, In the Access list, select Successful and Failed for the following:

      • Write All Properties

      • Delete

      • Modify Permissions

      • Modify Owner

      • Create All Child Objects

      • Delete All Child Objects

      When you create or delete child objects, the nodes associated with the child objects are also created or deleted automatically.

  10. For Applies to or Apply onto, select This object and all descendant objects.

  11. Clear the setting of Apply these auditing entries to objects and/or containers within this container only.

  12. Click OK until you close all open windows.

  13. Repeat Step 5 through Step 12 two more times for configuring the connection points for Schema and Configuration respectively.

Enabling Remote Event Log Management

You must ensure that the Remote Event Log Management rules are enabled to facilitate your product to monitor and process the Active Directory events.

To enable Remote Event Log Management:

  1. Log in to a domain controller where you need to enable the Remote Event Log Management service.

  2. Open Control Panel, select System and Security, then select Windows Defender Firewall in the middle pane.

  3. Click Inbound Rules. All the predefined rules are displayed in the middle pane.

  4. Look for the Remove Event Log Management and Remote Event Log Management (RPC) rules and verify that each of them is Enabled. If any of the Remote Event Log Management rules is disabled, then right-click the rule, then select Enable Rule.

Enabling Remote Procedure Call

The Remote Procedure Call (RPC) service is internally used by multiple Windows services and is set to running by default.

To enable remote traffic, set the firewall by following the steps in the target machine:

  • Open Windows Firewall with Advanced Security.

  • Navigate to Inbound Rules > Predefined Rules.

  • Select Remote Event Log Management (RPC).