HomeSupercharger KBGetting StartedAudit Policy for Active Directory Changes

2.4. Audit Policy for Active Directory Changes

Here is the minimum audit policy necessary to enable on domain controllers in order to generate all of the events included by the “Builtin - Security: Active Directory Changes” managed filter and needed by the Splunk App for LOGbinder if you are using that.

In the Default Domain Controllers Policy GPO make the following changes




Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options

Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings.


Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration

Security System Extension

Authorization Policy Change

Authentication Policy Change

Audit Policy Change

User Account Management

Security Group Management

Other Account Management Events

Other Policy Change Events

Directory Service Replication

Directory Service Changes


(Its ok to include Failure but most of these categories don’t log any failures)

You still need to configure other group policy settings to ensure your domain controllers connect to your collector and that winrm can access the Security Log. See

This page was: Helpful | Not Helpful