In this article:

• Objective

• Prerequisites

• Steps to follow

• Validation and confirmation

• Tips

• Related topics and articles

 Objective
 

To configure Windows Workstations in ADAudit Plus using either the product console or command-line arguments, and to apply the necessary audit policies for tracking user activity and changes across all endpoints.

 Prerequisites 

• You must have an account with administrative privileges in ADAudit Plus or delegate permission to configure Workstations in ADAudit Plus.

• Proper audit policies must be applied to capture required events.

• Ensure the Workstation firewall allows communication between the ADAudit Plus server and agents.

 Steps to follow 

Step 1: Configure Workstations using the product console

1. Log in to the ADAudit Plus web console.

2. Navigate to the Configuration tab.

3. From the left pane under Configured Server(s) Choose Workstations.

4. Click Add Workstation(s).

5. Select the Domain containing the Workstations to configure.

6. Select the Workstations you want to add.

7. Click Next.

8. Verify the selection and click Finish to complete workstation configuration.

Step 2: Configure workstations using command-line arguments

1. Log in to the system ADAudit Plus is installed.

2. Create a file in <ADAuditPlus_home>\bin\servers.csv. Use the encoding tab and save the document in UTF-8 format.

3. Enter the workstation names separated by a comma in a newline and save the list as a .csv file. E.g. Test-WS1, Test-WS2, Test-WS3...,

4. Go to Start and type in "Command Prompt". Right-click Command Prompt, then select Run as administrator.

5. Navigate to the folder <Installation dir>\ManageEngine\ADAudit Plus\bin.

6. Open Command Prompt and type in "cmdUtil.bat".

7. Enter the ADAudit Plus default admin username and password.

8. Note:ADAudit Plus’ default username and password are both admin.

9. Enter "server usage".

10. Type in "config server add -machinetype ws -isauditpolicy true".

Note: Here are the descriptions for the above arguments: machinetype: The type of machine that's going to be added i.e., ws=workstations. isauditpolicy: The audit policy will be enabled for the chosen machine via Group Policy Object (GPO). true: Automatically configures the required object access policy. false: Manually configure the required object access policy.

Step 3: Configure audit policies for workstations

1. Open Active Directory Users and Computers.

2. Right-click on the domain and select New > Group.

3. In the New object - Group window that opens, type in ADAuditPlusWS as the Group name, check Group scope: Domain Local and Group type: Security. Click OK.

4. Right-click the newly created group, then select Properties > Members > Add. Add all the Windows workstations that you want to audit as a member of this group. Click OK.

5. Using domain admin credentials, log in to any computer that has the Group Policy Management Console (GPMC) on it.

Note: The GPMC will not be installed on workstations and/or enabled on member servers by default, so we recommend configuring audit policies on Windows domain controllers. Otherwise follow the steps in this page to install GPMC on your desired member server or workstation.

6. Go to Start > Windows Administrative Tools > Group Policy Management.

7. In the GPMC, right-click the domain in which you want to configure the Group Policy. Select Create a GPO and Link it here. In the New GPO window that opens, type in ADAuditPlusWSPolicy and click OK.

8. Select the <domain name>_ADAuditPlusWSPolicy GPO. Under Security Filtering, select Authenticated Users. Click Remove. In the Group Policy Management window that opens, select OK.

9. Select the <domain name>_ADAuditPlusWSPolicy GPO. Under Security Filtering, click Add and choose the security group ADAuditPlusWS created previously. Click OK.

 Configure advanced audit policies   

1. Using domain admin credentials, log in to any computer that has the GPMC on it.

2. Go to Start > Windows Administrative Tools > Group Policy Management.

3. Right-click the GPO <domain name>_ADAuditPlusWSPolicy and select Edit.

4. In the Group Policy Management Editor, follow the steps below:

Note: Advanced audit policy configuration is only available in Windows Server 2008 or later. If you have an older version of Windows, configure legacy audit policies. It is recommended that you configure advanced audit policies instead of legacy audit policies to prevent storing needless event data logs, as the legacy policies contain more unwanted events.

5. Choose Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies.

6. Click, enable, and save the audit policies as shown below:

 Force advanced audit policies   

1. Right-click the <domain name>_ADAuditPlusWSPolicy from GPMC.

2. In the Group Policy Management Editor, follow the steps below:

3. Choose Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options > Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings.

4. Enable the policy and click OK.

 Validation and confirmation 

• Verify that the workstations appear under Configuration tab > Configured Server(s) > Workstation(s)in the ADAudit Plus web console.

• Log on and log off a workstation, then navigate to Endpoint > Logon activity to confirm that events are captured.

• Confirm no errors are reported in the ADAudit Plus dashboard.

 Tips 

• Use descriptive names for GPOs so you can easily identify and maintain them later.

• Periodically review workstation connectivity in the ADAudit Plus console.

• Adjust firewall settings if agents cannot communicate with the ADAudit Plus server.

 Related topics and articles 

• How to configure Print Server in ADAudit Plus.