Home → Supercharger KB → Getting Started → Audit Policy for Active Directory Changes
2.4. Audit Policy for Active Directory Changes
Here is the minimum audit policy necessary to enable on domain controllers in order to generate all of the events included by the “Builtin - Security: Active Directory Changes” managed filter and needed by the Splunk App for LOGbinder if you are using that.
In the Default Domain Controllers Policy GPO make the following changes
|
Path |
Policy |
Setting |
|
Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options |
Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings. |
Enabled |
|
Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration |
Security System Extension Authorization Policy Change Authentication Policy Change Audit Policy Change User Account Management Security Group Management Other Account Management Events Other Policy Change Events Directory Service Replication Directory Service Changes |
Success (Its ok to include Failure but most of these categories don’t log any failures) |
You still need to configure other group policy settings to ensure your domain controllers connect to your collector and that winrm can access the Security Log. See