{"id":6753,"date":"2019-01-21T13:57:44","date_gmt":"2019-01-21T13:57:44","guid":{"rendered":"https:\/\/www.vyapin.com\/blog\/?p=6753"},"modified":"2021-05-11T07:59:48","modified_gmt":"2021-05-11T07:59:48","slug":"how-to-audit-active-directory-user-accounts-changes","status":"publish","type":"post","link":"https:\/\/www.vyapinsoftware.com\/blog\/how-to-audit-active-directory-user-accounts-changes","title":{"rendered":"How to Audit Active Directory User Accounts Changes?"},"content":{"rendered":"

As part of managing security and compliance in your IT environment, it is vital to audit and track all the changes happening in AD user accounts<\/strong>. There are a few important changes in user accounts you must consider auditing all AD events related to user accounts to identify and prevent potential security threats. Some of these events are new user accounts created, user accounts deleted, user accounts enabled \/ disabled, user accounts permissions changes, etc. By constantly monitoring changes (some of which may be unauthorized or by oversight) made to user accounts in Active Directory, you can overcome potential AD security breaches<\/strong> in the future.<\/p>\n

Here we have discussed about how to audit user account changes in AD<\/strong> using native Active Directory auditing tool and with Vyapin Active Directory Change Tracker<\/strong><\/a>.<\/p><\/blockquote>\n

Using Native Active Directory Auditing Tool<\/h2>\n

First enable \u201cUser Account Management\u201d audit policy using the steps mentioned below.<\/p>\n

    \n
  1. Go to \u201cAdministrative Tools\u201d<\/li>\n
  2. From primary \u201cDomain Controller\u201d, open \u201cGroup Policy Management\u201d console<\/li>\n
  3. Create a new GPO or edit an existing GPO. Creating a new GPO, link it to domain and edit is recommended.<\/li>\n
  4. From left panel, create a new GPO by right-clicking on the domain name.<\/li>\n
  5. Click \u201cCreate a GPO in this domain, and Link it here\u201d.<\/li>\n
  6. On \u201cNew GPO\u201d window shown on the screen, give a name (Say: Manage User Accounts) and click \u201cOK\u201d.<\/li>\n
  7. Right-click on the new GPO which appears in left pane click \u201cEdit\u201d in the context menu.<\/li>\n
  8. It will show \u201cGroup Policy Management Editor\u201d on the screen.<\/li>\n
  9. Go to \u201cComputer Configuration\u201d \u2794 \u201cWindows Settings\u201d \u2794 \u201cSecurity Settings\u201d \u2794 \u201cAdvanced Audit Policy Configuration\u201d \u2794 \u201cAudit Policies\u201d to set \u201cAudit User Account Management\u201d policy.<\/li>\n
  10. Choose \u201cAccount Management\u201d policy which will display all its sub-policies.<\/li>\n
  11. Double-click \u201cAudit User Account Management\u201d\u2019 policy to open its \u201cProperties\u201d window.<\/li>\n<\/ol>\n

    Note:<\/strong>\u00a0Configuring above policy in \u201cAdvanced Audit Policy Configuration\u201d rather than \u201cLocal Policy\u201d because the need of enabling all account management policies in \u201cLocal Policy\u201d will create huge amount of event logs.<\/p>\n

    \"Active<\/a><\/p>\n

      \n
    1. In policy properties, select \u201cDefine these policy settings\u201d checkbox. As per your auditing attempt requirements, choose any one or both the options (success & failure).<\/li>\n<\/ol>\n

      \"Audit<\/p>\n

        \n
      1. Click \u201cApply\u201d, and \u201cOK\u201d to close the properties window.<\/li>\n
      2. Straightway update the Group Policy to reflect the new changes on the entire domain<\/li>\n
      3. Run the following command in the \u201cCommand Prompt\u201d:<\/li>\n<\/ol>\n

        \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 Gpupdate \/force<\/em>
        \n\"AD<\/p>\n

        Once \u201cUser Account Management\u201d audit policy is enabled, you can track all the user account changes in AD through event viewer. We have explained how to audit AD user account changes via event viewer.<\/p>\n

        Monitoring user account changes in AD using Event Viewer<\/h3>\n

        To track Active Directory user account changes,<\/p>\n