In this article:

• Objective

• Prerequisites

• Steps to follow

• Validation and confirmation

• Tips

• Related topics and articles

 Objective   

This article provides a step-by-step guide to enable and configure the appropriate audit policies in your environment to ensure ADAudit Plus can collect necessary security log data from the following machine types.

• Domain controllers (DCs)

• Workstations

• File servers

• Member servers  

Proper audit policy configuration ensures that the necessary security events are generated and available for ADAudit Plus to collect. Without this configuration, ADAudit Plus cannot provide complete visibility into activities like logon attempts, user management, file access, and other vital audit events.

 Prerequisites   

• You must have administrative privileges to access and modify Group Policy settings.

• ADAudit Plus should be installed and configured.

• The target machines (DCs, workstations, file servers, member servers) should be added in ADAudit Plus.

 Steps to follow 

 Step 1: Open the Group Policy Management Console (GPMC)   

1. Press Windows + R to open the Run dialog.

2. Type gpmc.msc and press Enter to launch the Group Policy Management Console.

3. In the left pane, expand Forest > Domains > Your domain.

4. Right-click the appropriate Group Policy Object (GPO) based on the machine type and select Edit to launch the Group Policy Management Editor.

 Step 2: Audit policy configuration for DataEngine servers   

1. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies.

2. Enable the following audit policies:

 Step 3: Audit policy configuration for  DCs

1. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies. 

2. Enable the following audit policies:

Step 4: Audit policy configuration for Workstations   

1. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies. 

2. Enable the following audit policies:

 Step 5: Audit policy configuration for File servers   

1. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies. 

2. Enable the following audit policies:

 Step 6: Audit policy configuration for Member servers   

1. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies 

2. Enable the following audit policies:

 Validation and confirmation   

1. Perform actions relevant to the enabled policies (e.g., logon, file access).

2. Open Event Viewer:

• Press Windows + R, type eventvwr.msc, and press Enter.

• Navigate to Windows Logs > Security.

3. Check for relevant event IDs such as 4624, 4625, 4663, 4732, etc.

4. Log in to ADAudit Plus.

5. Navigate to Active Directory > User Logon Reports > User Logon Activity.

6. Confirm the events appear in the corresponding reports.

 Tips 

• Apply GPOs to organizational units (OUs) instead of entire domains to limit the audit scope.

• Use success or failure auditing only where required to reduce log noise.

• Regularly review and adjust audit settings based on business needs.

• Monitor event log size and retention to prevent data loss.

 Related topics   and articles 

• Audit policy for DCs

• Audit policy for workstations

• Audit policy for file servers

• Audit policy for member servers