View Active Directory (AD) Event Logs and What They Track. What are Active Directory event logs and their tracking functionalities? You get insights into AD’s health status by monitoring AD event logs.
Moreover, AD event logs help you identify potential security threats before they materialize.
To audit AD events, you must first understand the event logs available and the information they track. In the first section of this article, I explain Active Directory event logs and the data they offer.
In the second, we explore how to view event logs. However, you must enable Active Directory auditing through Group Policy to enable AD to log events in Windows Events log.
As a result, I commence the 2 section of this guide by demonstrating how to enable Active Directory Audit policies using group policy. Additionally, I explore the 2 options for viewing and analysing AD event logs – Windows Event Log Viewer and PowerShell.
Essential Active Directory (AD) Event Logs and What They Track
Depending on the specific events you want AD to log, you configure either Audit or Advanced Audit Policies in Group Policy. This means that the information recorded in AD’s event logs depends on the Audit policies that you have enabled.
This article covers the fundamental Audit Policies an organization enables and starts tracking AD activities. If you’re interested in learning about Advanced Audit Policies, visit this link – Advanced Audit Policies.
The Audit Policies that I discuss are located in the following path in the Group Policy Management Editor:
Computer Configuration → Policies → Windows Settings → Security Settings → Local Policies → Audit Policy
There are 9 policies within the Audit Policy, but I focus on 4 that fulfil the auditing requirements of most organizations. In addition, I delve into the event logs that Domain Controllers generate once a policy is enabled, the information they capture and how you utilize them.
Audit Account Logon Events (Event Logs 672 to 683)
If you want Domain Controllers to record (in the local security event log) each time it authenticates a user, computer, or service account, enable the Audit account logon events policy for Success and Failure. When enabled, in the Default Domain Controllers Policy, the Domain Controller records the event whenever it authenticates a user, computer, or service account authenticates on the domain.
Enabling this policy may record event log ID 672 to 683 in the DC’s local security event log. To read the events and what they record, visit Configure this audit setting.
When you enable the Audit account logon events policy, Domain Controllers (DCs) record countless event logs since your users constantly log in and off the domain. At first, this may appear unnecessary, but Microsoft recommends enabling success and failure events for this policy.
Moreover, later in this article, I show you how to filter event logs to return the events you wish to analyse.
Audit Account Management (Event Logs 4720 to 4780)
Account Management event logs record changes admins make to users, computers or groups in Active Directory. Some examples of account management events are:
- An admin creates, modifies, or deletes a user account or group.
- Someone at the service desk sets or changes a password.
- An admin enables, disables, or renames a group or user account.
To configure DCs to log these events, enable the Audit account management events for Success an/or Failure events. Enabling this policy in the Default Domain Controllers Policy forces Domain Controllers to log events 4720 to 4780 in their local security event log.
Audit Directory Service Access (Event Logs 4661 and 4662)
The Audit Directory Service Access security policy specifies, if a DC audit attempts by users to access Active Directory objects. Moreover, when you enable this security policy in Domain Controllers, they log event logs 4661 or 4662.
DCs generate Event ID 4661 when a user requests a handle to an object. On the contrary, when an operation is performed on an Active Directory object, a DC logs event ID 4662.
In practice, use Event ID 4661 to track attempted unauthorized access to AD objects. This help you track attempts to access sensitive objects in Active Directory.
Similarly, if you need to track actions taken on AD security principals (user or group), monitor event 4662. Monitoring this event may provide valuable information about changes to user accounts, group memberships, and updates to group policies.
This helps sysadmins detect and analyze potentially malicious activities. Furthermore, event 4662 may help admins track changes made to the system over time, which may be used for compliance and auditing purposes.
Audit Logon Events (Event Logs 4624 to 4779)
By enabling the “Audit Logon Events” security policy, a computer records every instance of a user’s log-on or off actions. If this policy is enabled on a Domain Controller, captures user account log on and log off activities on the DC.
Moreover, when a domain account is used for interactive logons on a member server or workstation, it generates a logon event on the domain controller.
After the earlier discussion on “Audit Account Logon Events,” many readers are curious about the distinctions between “Audit Account Logon Events” and “Audit Logon Events.”
The audit logon events security policy determines whether to register every user’s login and logout instances on a device.
On the other hand, the audit account logon events security policy determines whether to log every instance of a user logging in or out from another device where the device is employed for account validation or authentication.
If you enable the audit logon events policy on Domain Controllers, they generate domain account logon events, whether the log-on is on a DC or a workstation. However, enabling audit account logon events on DCs causes account log-on activities that are authenticated on a domain controller to be recorded.
The security policy audit account logon events generate event log IDs 4624 to 4779.
Enable and View the Essential Active Directory (AD) Event Logs
This section covers the steps for using group policy to enable the Active Directory event logs that I discussed in the previous section. Following that, I explain how to utilize Windows Event Viewer and PowerShell to view and analyze the AD event logs.
Enable AD Event Logs Via Group Policy
1. Open the Group Policy Management Console. Open it in 2 ways: by searching for “Group Policy Management” or through Server Manager.
2. In the Group Policy Management Console, go to Domain Controllers and expand the container.
3. Next, right click on the Default Domain Controllers policy and choose Edit. However, if you do not want to edit, make a copy by going to the Group Policy Objects container and expanding it.
Afterward, drag the Default Domain Controllers policy to the Group Policy Objects container to copy it. Rename the copied policy, then drag it to the Domain Controllers container to apply the GPO to the container.
This approach allows you to modify the copied policy instead of the original Default Domain Controllers policy.
4. When the GPO opens for editing, navigate to the path below:
Computer Configuration → Policies → Windows Settings → Security Settings → Local Policies → Audit Policy
5. Next, configure the following policies:
Audit account management: Success; Audit directory service access: Success; Audit logon events: Success and Failure; Audit Account Logon Events: Success and Failure.
The above policies should correspond to the screenshot below.
gpupdate /force
If you wish to see a list of currently configured auditing policies on the DC, run the command below.
auditpol /get /category:*
Try our Active Directory & Office 365 Reporting & Auditing Tools
Try us out for Free. 100’s of report templates available. Easily customise your own reports on AD, Azure AD & Office 355.
View and Track the Essential Active Directory Event Logs with Windows Event Viewer
- Search for and open Event Viewer.
2. Next, open Windows Log -> Security -Domain Controllers record auditing events in the Windows Security log. As there are numerous event logs, the most effective way to analyze the events is by using the filtering option.
3. To filter the event log, right click on the Security event log and choose Filter Current Log.
4. Lastly, filter the event logs by the event IDs. For instance, to view all successful account log-ons, enter 4624 in the <All Event IDs> field.
Furthermore, filter the events by the date logged. To accomplish this, click Logged time dropdown and choose a pre-defined date or opt for the Custom range to manually enter a date range.
The data is displayed, if the event log contains records that match your applied filters.
View and Track the Essential AD Event Logs with Windows PowerShell
PowerShell provides a robust option for viewing Active Directory event logs, with even more advanced filtering and report exporting capabilities than the Windows Event Viewer tool. Additionally, PowerShell offers various cmdlets for viewing event logs, but for this article, we utilize the Get-WinEvent cmdlet.
Use this cmdlet to view AD event logs:
1. Open PowerShell with admin permissions, search for “Windows PowerShell” and click “Run as Administrator.”
2. Next, return all events in the Windows Event Security log by running this command.
Get-WinEvent -FilterHashtable @{LogName = 'security'; Id=4624; StartTime=(Get-Date).AddHours(-1)}
To minimize the number of events that the command retrieves and speed up the process, I utilized the MaxEvents parameter. Without this parameter, the command returns all the events in the Security event logs, which could take significant time to complete.
The command retrieves the last 20 event logs, but the resulting report is not especially informative.
3. To enhance the report’s usefulness, utilize the FilterHashtable parameter to specify a hashtable that filters the information retrieved by the command. A sample command:
Get-WinEvent -FilterHashtable @{LogName = 'security'; Id=4624; StartTime=(Get-Date).AddHours(-1)}
This command retrieves event logs with ID 4624 that were logged within the past hour from the Security event log.
4. Finally, save this report in a CSV file by piping the command in step 3 above to the Export-Csv command. Before you run the command, change the path to the CSV file.
Also modify other parameters in the hashtable, like the id and LogName.
Get-WinEvent -FilterHashtable `
@{LogName = 'security'; Id=4624; StartTime=(Get-Date).AddHours(-1)} | `
Select-Object TimeCreated, ProviderName, Id, @{Name='Message';Expression={$_.Message -replace '\s+', " "}} | `
Export-Csv E:\ADReports\ADEventlogs4624.CSV -NoTypeInformation
The command creates a CSV file that you review to analyse the AD event logs.
View Active Directory (AD) Event Logs and What They Track Conclusion
Understanding and leveraging the essential Active Directory (AD) event logs are incredibly valuable for Windows admins.
The 1 crucial step in the process is enabling AD event logs via group policy. Once enabled, Windows Event Viewer and Windows PowerShell offer 2 powerful tools for viewing and tracking these logs.
Regularly monitoring AD event logs allows admins to gain helpful insights into potential security breaches, network issues, or system failures. Furthermore, taking proactive measures to address any problems found in AD event logs helps to ensure the smooth functioning of the network, it’s security and performance.
With the right tools and knowledge, admins leverage these logs to stay on top of potential issues and ensure the stability of their network.
Try InfraSOS for FREE
Invite your team and explore InfraSOS features for free
- Free 15-Days Trial
- SaaS Reporting & Auditing Solution
- Full Access to All Features
