How to enable auditing to capture modifications related to gMSAs
In this article:
Objective
Prerequisites
Steps to follow
Validation and confirmation
Tips
Related topics and articles
Objective
This article explains how to enable auditing to capture modifications related to Group Managed Service Accounts (gMSAs) in Active Directory. It details the required auditing policies and configurations to track changes.
Prerequisites
Have administrative privileges to modify Group Policy and Active Directory permissions.
Have domain administrator or equivalent privileges.
Have access to Group Policy Management and Active Directory Users and Computers (ADUC).
Steps to follow
Step 1: Enable advanced auditing policies
Log in to the primary domain controller.
Open the Group Policy Management Editor by typing gpedit.msc in the Run dialog box.
Navigate to:
Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > DS Access.
Locate Audit Directory Service Changes and enable both Success and Failure.
Click Apply and OK.
Step 2: Set system access control lists for auditing
Log in to the primary domain controller.
Open ADUC by typing dsa.msc in the Run dialog on the domain controller.
Right-click the domain and select Properties.
Navigate to the Security tab and click Advanced.
Switch to the Auditing tab and click Add.
In the Select Principal field, enter Everyone.
Set Type to Success.
In Apply onto, select This object and all descendant objects.
Step 3: Configure permissions for gMSA auditing
Under Permissions to enable, select:
Create msDS-GroupManagedServiceAccount objects (or Create all child objects).
Delete msDS-GroupManagedServiceAccount objects (or Delete all child objects).
To monitor modifications to gMSA attributes:
Set Apply onto: Descendant msDS-GroupManagedServiceAccount objects.
Enable the following permissions:
Write All Properties
Delete
Modify Permissions
Click Apply and OK to save changes.
Validation and confirmation
Check Event Viewer > Security Logs for event ID 5136 (directory service changes).
Verify that modifications to gMSA accounts generate audit entries.
Test by modifying a gMSA attribute and confirming log entries.
Tips
Regularly review audit policies to ensure security compliance.
Configure alerts in ADAudit Plus to detect unauthorized modifications.
Related Topics and Articles
How to create an alert when a gMSA is created
New to ADSelfService Plus?
Related Articles
No data under ADCS auditing report
In this article: Issue description Prerequisites Possible causes Resolution Related topics and articles How to reach support Issue description In ADAudit Plus, the ADCS Auditing profile provides insights into all Active Directory Certificate Services ...How to configure a Custom Report for tracking gMSA modifications in ADAudit Plus
Objective This article guides you through the process of creating a custom report in ADAudit Plus to monitor changes to Group Managed Service Accounts (gMSA). Prerequisites The account used to configure the report must have admin privileges in ...How to configure Entra ID auditing in ADAudit Plus
Objective This article explains how to configure Entra ID auditing in ADAudit Plus to monitor and track user activities, sign-ins, group modifications, and changes to directory roles within Azure Active Directory (Entra ID). By integrating Entra ID ...No data available in computer startup and shutdown auditing
In this article Issue description Prerequisites Possible causes Resolution Related topics and articles When and how to contact support Issue description The Computer Startup and Shutdown reports in ADAudit Plus display "No Data Available," preventing ...No data available in Configuration Auditing reports
In this article : Issue description Prerequisites Possible causes Resolution Related topics and articles How to reach support Issue description In ADAudit Plus, the Configuration Auditing reports provide insights into modifications made to critical ...