How do I audit Active Directory?

A. You can configure Active Directory (AD) auditing to produce successful and failed entries in the Directory Service (DS) event log.

  1. Start the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in. (Select Programs, Administrative Tools, Active Directory Users and Computers from the Start menu.)
  2. From the View menu, select Advanced Features.
  3. Expand the domain, right-click the Domain Controllers container, and select Properties from the context menu.
  4. Select the Group Policy tab.
  5. Select Default Domain Controllers Policy, and click Edit.
  6. Expand the Computer Configuration branch, the Windows Settings branch, the Security Settings branch, and the Local Policies branch.
  7. Select Audit Policy.
  8. The rightmost window will show auditing levels. Double-click Audit Directory Service Access.
  9. Select the relevant checkboxes (e.g., Audit successful attempts, Audit failed attempts), as the Screen shows. Click OK.

    Click here to view image

  10. Close the Group Policy window.
  11. In the main Domain Controllers Properties dialog box, click OK.
  12. Close the Active Directory Users and Computers MMC snap-in.

You can use Event Viewer to view the logs in the Security log. Because domain controllers poll for policy changes every 5 minutes, the policy change might take as long as 5 minutes to take effect. Other domain controllers in the enterprise receive the changes after the 5-minute interval, plus replication time.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.