Active Directory Services Audit - Document references - TechNet Ar... https://social.technet.microsoft.com/wiki/contents/articles/15232.act...

Active Directory Services Audit - Document references

Table of Contents
Default policy settings after promoting the 2008 DC in a domain
GPMC
Using Auditpol for "DS Access" category
Using Auditpol for "*" category
Enabling the Auditing through Auditpol
Event ID 4741 indicates that "A computer account was created."
AD DS Auditing Step-by-Step Guide
Audit Event IDs list
Audit account logon events
Audit account management
Audit directory service access
Audit logon events
Audit object access
Audit policy change
Audit privilege use
Audit system events
Automation for searching the audit events
How to use "EventcombMT" & account locked out troubleshooting
How to calculate the 2003/2008 event IDs
See Also
Hey, who deleted that user from AD???
Tracking DNS Record Deletion
Who Moved the AD Cheese? (Ask Premier Field Engineering (PFE)
Platforms)
Santosh Bhandarkar's TechNet Wiki Articles
Description of security events

Default policy settings after promoting the 2008 DC in a

domain
GPMC

Using Auditpol for "DS Access" category

Auditpol /get /subcategory:"directory access"

1 of 7 2/5/2018, 4:22 PM
Active Directory Services Audit - Document references - TechNet Ar... https://social.technet.microsoft.com/wiki/contents/articles/15232.act...

Using Auditpol for "*" category

Auditpol /get /category:"*"

C:\>Auditpol /get /category:"*"

System audit policy

Category/Subcategory Setting
System
Security System Extension No Auditing
System Integrity Success and Failure
IPsec Driver No Auditing
Other System Events Success and Failure
Security State Change Success
Logon/Logoff
Logon Success and Failure
Logoff Success
Account Lockout Success
IPsec Main Mode No Auditing
IPsec Quick Mode No Auditing
IPsec Extended Mode No Auditing
Special Logon Success
Other Logon/Logoff Events No Auditing
Network Policy Server Success and Failure
Object Access
File System No Auditing
Registry No Auditing
Kernel Object No Auditing
SAM No Auditing
Certification Services No Auditing
Application Generated No Auditing
Handle Manipulation No Auditing
File Share No Auditing
Filtering Platform Packet Drop No Auditing
Filtering Platform Connection No Auditing
Other Object Access Events No Auditing
Privilege Use
Sensitive Privilege Use No Auditing
Non Sensitive Privilege Use No Auditing
Other Privilege Use Events No Auditing
Detailed Tracking
Process Termination No Auditing
DPAPI Activity No Auditing
RPC Events No Auditing
Process Creation No Auditing
Policy Change
Audit Policy Change Success
Authentication Policy Change Success
Authorization Policy Change No Auditing
MPSSVC Rule-Level Policy Change No Auditing
Filtering Platform Policy Change No Auditing
Other Policy Change Events No Auditing
Account Management
User Account Management Success
Computer Account Management Success
Security Group Management Success
Distribution Group Management No Auditing
Application Group Management No Auditing
Other Account Management Events No Auditing
DS Access
Directory Service Changes No Auditing
Directory Service Replication No Auditing
Detailed Directory Service Replication No Auditing
Directory Service Access Success
Account Logon

2 of 7 2/5/2018, 4:22 PM
Active Directory Services Audit - Document references - TechNet Ar... https://social.technet.microsoft.com/wiki/contents/articles/15232.act...

Kerberos Service Ticket Operations Success

Other Account Logon Events No Auditing
Kerberos Authentication Service Success
Credential Validation Success

Enabling the Auditing through Auditpol

Auditpol /set /subcategory:"directory service changes" /success:enable

You will get the below events after enabling the directory service changes.

Event ID 4741 indicates that "A computer account was created."

There are two scenarios when that event is created. If we are added a computer to a domain and if we are created a computer manually in a domain.

4741 event never indicate that a computer is joined in the domain. When a computer is joined in a domain "DNSHostName" attribute should have a valid entry.

Also, we can check the event 4769 & 4624 for domain-joined computer.

Event ID Descrip on
4720 A user account was created.
4724 An attempt was made to reset an account's password.
4738 A user account was changed.
4722 A user account was enabled.
4727 A security enabled global group was created.
4754 A security enabled universal group was created.
4731 A security enabled local group was created.

We have created a DL but there are no events in eventvwr for that; Will show the below how to get these events.

Event ID 4741 indicate that "A computer account was created".

AD DS Auditing Step-by-Step Guide

http://technet.microsoft.com/library/cc731607(v=ws.10).aspx

Audit Event IDs list

Audit account logon events
Event ID Descrip on
4776 The domain controller attempted to validate the credentials for an account
4777 The domain controller failed to validate the credentials for an account
4768 A Kerberos authentication ticket (TGT) was requested
4769 A Kerberos service ticket was requested
4770 A Kerberos service ticket was renewed

Audit account management

Event ID Descrip on
4741 A computer account was created.
4742 A computer account was changed.
4743 A computer account was deleted.
4739 Domain Policy was changed.
4782 The password hash an account was accessed.
4727 A security enabled global group was created.
4728 A member was added to a security enabled global group.
4729 A member was removed from a security enabled global group.
4730 A security enabled global group was deleted.

3 of 7 2/5/2018, 4:22 PM
Active Directory Services Audit - Document references - TechNet Ar... https://social.technet.microsoft.com/wiki/contents/articles/15232.act...

4731 A security enabled local group was created.

4732 A member was added to a security enabled local group.
4733 A member was removed from a security enabled local group.
4734 A security enabled local group was deleted.
4735 A security enabled local group was changed.
4737 A security enabled global group was changed.
4754 A security enabled universal group was created.
4755 A security enabled universal group was changed.
4756 A member was added to a security enabled universal group.
4757 A member was removed from a security enabled universal group.
4758 A security enabled universal group was deleted.
4720 A user account was created.
4722 A user account was enabled.
4723 An attempt was made to change an account's password.
4724 An attempt was made to reset an account's password.
4725 A user account was disabled.
4726 A user account was deleted.
4738 A user account was changed.
4740 A user account was locked out.
4765 SID History was added to an account.
4766 An attempt to add SID History to an account failed.
4767 A user account was unlocked.
4780 The ACL was set on accounts which are members of administrators groups.
4781 The name of an account was changed:
Audit directory service access
Event ID Descrip on
4934 Attributes of an Active Directory object were replicated.
4935 Replication failure begins.
4936 Replication failure ends.
5136 A directory service object was modified.
5137 A directory service object was created.
5138 A directory service object was undeleted.
5139 A directory service object was moved.
5141 A directory service object was deleted.
4932 Synchronization of a replica of an Active Directory naming context has begun.
4933 Synchronization of a replica of an Active Directory naming context has ended.

Audit logon events

Event ID Descrip on
4634 An account was logged off.
4647 User initiated logoff.
4624 An account was successfully logged on.
4625 An account failed to log on.
4648 A logon was attempted using explicit credentials.
4675 SIDs were filtered.
4649 A replay attack was detected.
4778 A session was reconnected to a Window Station.
4779 A session was disconnected from a Window Station.
4800 The workstation was locked.
4801 The workstation was unlocked.
4802 The screen saver was invoked.
4803 The screen saver was dismissed.
5378 The requested credentials delegation was disallowed by policy.
5632 A request was made to authenticate to a wireless network.
5633 A request was made to authenticate to a wired network.

Audit object access

Event ID Descrip on
5140 A network share object was accessed.
4664 An attempt was made to create a hard link.
4985 The state of a transaction has changed.
5051 A file was virtualized.
5031 The Windows Firewall Service blocked an application from accepting incoming
connections on the network.
4698 A scheduled task was created.
4699 A scheduled task was deleted.
4700 A scheduled task was enabled.
4701 A scheduled task was disabled.
4702 A scheduled task was updated.
4657 A registry value was modified.
5039 A registry key was virtualized.
4660 An object was deleted.

4 of 7 2/5/2018, 4:22 PM
Active Directory Services Audit - Document references - TechNet Ar... https://social.technet.microsoft.com/wiki/contents/articles/15232.act...

4663 An attempt was made to access an object.

Audit policy change
Event ID Descrip on
4715 The audit policy (SACL) on an object was changed.
4719 System audit policy was changed.
4902 The Per user audit policy table was created.
4906 The CrashOnAuditFail value has changed.
4907 Auditing settings on object were changed.
4706 A new trust was created to a domain.
4707 A trust to a domain was removed.
4713 Kerberos policy was changed.
4716 Trusted domain information was modified.
4717 System security access was granted to an account.
4718 System security access was removed from an account.
4864 A namespace collision was detected.
4865 A trusted forest information entry was added.
4866 A trusted forest information entry was removed.
4867 A trusted forest information entry was modified.
4704 A user right was assigned.
4705 A user right was removed.
4714 Encrypted data recovery policy was changed.
4944 The following policy was active when the Windows Firewall started.
4945 A rule was listed when the Windows Firewall started.
4946 A change has been made to Windows Firewall exception list. A rule was added.
4947 A change has been made to Windows Firewall exception list. A rule was
modified.
4948 A change has been made to Windows Firewall exception list. A rule was
deleted.
4949 Windows Firewall settings were restored to the default values.
4950 A Windows Firewall setting has changed.
4951 A rule has been ignored because its major version number was not recognized
by Windows Firewall.
4952 Parts of a rule have been ignored because its minor version number was not
recognized by Windows Firewall. The other parts of the rule will be enforced.
4953 A rule has been ignored by Windows Firewall because it could not parse the
rule.
4954 Windows Firewall Group Policy settings have changed. The new settings have
been applied.
4956 Windows Firewall has changed the active profile.
4957 Windows Firewall did not apply the following rule:
4958 Windows Firewall did not apply the following rule because the rule referred to
items not configured on this computer:
6144 Security policy in the group policy objects has been applied successfully.
6145 One or more errors occurred while processing security policy in the group
policy objects.
4670 Permissions on an object were changed.

Audit privilege use

Event ID Descrip on
4672 Special privileges assigned to new logon.
4673 A privileged service was called.
4674 An operation was attempted on a privileged object.

Audit system events

Event ID Descrip on
5024 The Windows Firewall Service has started successfully.
5025 The Windows Firewall Service has been stopped.
5027 The Windows Firewall Service was unable to retrieve the security policy from
the local storage. The service will continue enforcing the current policy.
5028 The Windows Firewall Service was unable to parse the new security policy. The
service will continue with currently enforced policy.
5029 The Windows Firewall Service failed to initialize the driver. The service will
continue to enforce the current policy.
5030 The Windows Firewall Service failed to start.
5032 Windows Firewall was unable to notify the user that it blocked an application
from accepting incoming connections on the network.
5033 The Windows Firewall Driver has started successfully.
5034 The Windows Firewall Driver has been stopped.
5035 The Windows Firewall Driver failed to start.
5037 The Windows Firewall Driver detected critical runtime error. Terminating.
4608 Windows is starting up.
4609 Windows is shutting down.
4616 The system time was changed.

5 of 7 2/5/2018, 4:22 PM
Active Directory Services Audit - Document references - TechNet Ar... https://social.technet.microsoft.com/wiki/contents/articles/15232.act...

4621 Administrator recovered system from CrashOnAuditFail. Users who are not
administrators will now be allowed to log on. Some auditable activity might not
have been recorded.
4697 A service was installed in the system.
4618 A monitored security event pattern has occurred.

For a full list of all events, go to the following Microsoft URL .

Automation for searching the audit events

Searching the audit events not a very hard job; there are fantastic tools called "EventcombMT".

It is free & available from below Microsoft link. It is the part of the ALTools.

Download the Altool here

How to use "EventcombMT" & account locked out

troubleshooting

http://social.technet.microsoft.com/wiki/contents/articles/4585.account-locked-out-troubleshooting.aspx

Windows Server 2008 , 2008 R2 , 2012 , 2012 R2 log the event with ID 4740 for user account locked out

Windows Server 2003 log the event with ID 644 for user account locked out

How to calculate the 2003/2008 event IDs

644(2003 event) + 4096 = 4740 (2008 event)

If you have 2003 event then add 4096; you will get the event for 2008

See Also
Hey, who deleted that user from AD???
http://blogs.technet.com/b/brad_rutkowski/archive/2006/09/21/hey-who-deleted-that-user-from-ad.aspx

Tracking DNS Record Deletion

http://blogs.technet.com/b/networking/archive/2011/08/17/tracking-dns-record-deletion.aspx

Who Moved the AD Cheese? (Ask Premier Field Engineering (PFE) Platforms)
http://blogs.technet.com/b/askpfeplat/archive/2012/04/22/who-moved-the-ad-cheese.aspx

Santosh Bhandarkar's TechNet Wiki Articles

1. Event IDs when new a user account is created on Active Directory
2. Event IDs when a user account is deleted from Active Directory
3. Event ID when a user is added or removed from security-enabled UNIVERSAL group such as Enterprise Admins
4. Event ID when a user is added or removed from security-enabled GLOBAL group such as Domain Admins or Group Policy Creator Owners

6 of 7 2/5/2018, 4:22 PM
Active Directory Services Audit - Document references - TechNet Ar... https://social.technet.microsoft.com/wiki/contents/articles/15232.act...

5. Event ID when a user is added or removed from security-enabled DOMAIN LOCAL group such as DnsAdmins group

Description of security events

Description of security events in Windows Vista and in Windows Server 2008: http://support.microsoft.com/kb/947226
Description of security events in Windows 7 and in Windows Server 2008 R2: http://support.microsoft.com/kb/977519
Windows 8 and Windows Server 2012 Security Event Details : http://www.microsoft.com/en-in/download/details.aspx?id=35753

7 of 7 2/5/2018, 4:22 PM