Q: What's the easiest way to create a global audit policy that will automatically log events for all administrator changes to the system registry on all the domain controllers (DCs) in a Windows domain?
A: To set up a global audit policy, you can leverage a Windows feature called Global Object Access Auditing, which Microsoft introduced in Windows Server 2008 R2. A global object access audit policy can be used to enforce an object access audit policy for a file system or registry folder, without having to configure and propagate conventional system ACL (SACL) settings on each individual machine. You can find a good introduction to this feature on TechNet's Global Object Access Auditing page.
To configure, apply, and validate a global object access audit policy for administrator changes to the system registry on your DCs, follow these steps:
- Log on to your domain as a member of the local Administrators group and start the Group Policy Management Console (GPMC).
- In the console tree, navigate to Domains\<Your_ Domain>\Group Policy Objects\Default Domain Controllers Policy, where <Your_ Domain> is the name of your domain. Right-click Default Domain Controllers Policy and click Edit.
- In the Group Policy Management Editor, navigate to the Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\System Audit Policies container.
- Double-click Object Access, then double-click Audit Registry. Select the Configure the following audit events check box, select the Success and Failure check boxes, and click OK.
- Double-click Global Object Access Policies, then double-click Registry. Select the Define this policy setting check box and click Configure.
- In the Advanced Security Settings for Global Registry SACL box, click Add. Add all default administrator groups (e.g., Domain Admins, Enterprise Admins) to the list and other custom administrator groups that you've defined and want to audit.
- In the Auditing Entry for Global Registry SACL box, select the Successful or Failed activities (e.g., Create Subkey, Delete, Change Permissions, Read) for which you want to log audit entries.
- Click OK three times to complete the audit policy configuration.
Apply the Group Policy Object (GPO) change. On each of your DCs, open a command prompt and run the command: