In this article:

• Objective

• Prerequisites

• Steps to follow

• Validation and confirmation

• Tips

• Related topics and articles

Objective  

This article outlines the minimum privileges required for ADAudit Plus to audit the following:

• Active Directory (AD)

• Windows servers and endpoints

• File servers

• DataEngine

• Other systems (Exchange, NetApp systems, etc.)  

Prerequisites  

• ADAudit Plus must be installed and configured.

• The server or workstation must be added to ADAudit Plus for auditing.

• The required audit policies should be enabled through the Group Policy Management Console (GPMC).

• The user performing the configuration must have administrative privileges on the target machine.

Steps to follow

Step 1: Enable audit policies using the GPMC  

1. Open the GPMC by typing gpmc.msc in the Run dialog box.

2. Locate the relevant GPO that is applied to the target machine.

3. Right-click the GPO and select Edit to open the Group Policy Management Editor.

4. On the left pane, navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Object Access.

5. On the right pane, double-click the following subcategories and enable them:

• Audit File System: Configure this for both Success and Failure.

• Audit Handle Manipulation: Configure this for Success.

Step 2: Configure object-level auditing on the target folder (SACL configuration)  

1. Log in to the machine where the folder resides.

2. Locate and right-click the file or folder to be audited, then select Properties.

3. In the Properties window, navigate to the Security tab and click the Advanced button.

4. Navigate to the Auditing tab and click Add.

5. In the new window, click Select a principal, type Everyone (or specify the intended user or group), then click OK.

6. Choose the type of access you want to audit (Success and/or Failure).

7. Under Basic permissions, check the appropriate boxes for actions such as the following:

• Read data / list directory

• Write data / add files

• Append data / add subfolders

• Create files / write attributes

• Delete

• Change permissions

• Take ownership

8. From the Applies to drop-down, select This folder, subfolders and files.

9. Click OK > Apply > OK to save the changes.

Validation and confirmation  

1. Perform a test operation on the audited file or folder (such as reading, writing, or deleting).

2. Open Event Viewer on the target machine:

• Click Start > Run, type eventvwr.msc and press Enter.

3. In Event Viewer, navigate to Windows Logs > Security.

4. Check for event IDs such as 4663, 4656, and 4670, which indicate file access events.

5. Launch ADAudit Plus and navigate to the File Audit Reports section:

• Navigate to File Audit > File Audit > All File/Folder Changes.

6. Confirm the test access event is reflected in the report.

Tips

• Only configure auditing on sensitive or critical directories to avoid unnecessary log generation.

• Use specific users or groups instead of everyone where possible to tighten the auditing scope.

• Regularly check the event log size and apply proper retention settings to avoid data loss.

• Periodically review the object-level auditing settings and clean up outdated entries.

Related topics   and articles

• Configure audit policies