TechFactsHub

How Do I Enable Ad Auditing?

by
Last updated on 4 min read

Contents

  1. What’s Happening
  2. How do I set it up?
  3. I followed the steps and nothing’s showing up
  4. Do I need to enable anything else?
  5. What events should I watch for?
  6. How do I know if it’s working?
  7. What about older Windows versions?
  8. Can I set this up across my whole domain?
  9. Is there a way to reduce log noise?
  10. What’s the bare minimum to get started?
  11. Any common mistakes to avoid?
  12. Where can I check the official docs?

Quick Fix Summary

Turn on Advanced Audit Policy Configuration through gpedit.msc for detailed tracking. On older systems, fall back to Local Policies → Audit Policy. Always test in a non-production environment first.

What’s Happening

Ad auditing records who touches Active Directory objects (users, groups, OUs) and logs those changes.

As of 2026, Windows Server 2025 and Windows 11 24H2 ship with tighter auditing controls under Advanced Audit Policy Configuration, which replaces the old Basic Audit Policy settings. Relying only on failure events misses permission creep and sneaky access—success audits matter just as much.

How do I set it up?

Run gpedit.msc, enable the right policies under Advanced Audit Policy Configuration, then force an update and check Event Viewer.

Start on a domain controller or a Windows 11/2025 endpoint with RSAT installed.

  1. Hit Win + R, type gpedit.msc, and press Enter to open the Local Group Policy Editor.
  2. Drill down to: Computer Configuration → Windows Settings → Security Settings → Advanced Audit Policy Configuration → System Audit Policies → Account Logon.
  3. Open Audit Credential Validation. Check both Success and Failure. Click OK.
  4. Head to: Computer Configuration → Windows Settings → Security Settings → Advanced Audit Policy Configuration → DS Access.
  5. Double-click Audit Directory Service Access. Turn on Success and Failure. Click OK.
  6. Launch Command Prompt as Administrator and run: gpupdate /force to push the changes right away.
  7. Confirm it’s working in Event Viewer: Event Viewer → Windows Logs → Security. Watch for Event ID 4662 (Directory Service Access) and 4776 (Credential Validation).

I followed the steps and nothing’s showing up

If auditing isn’t logging events, switch to legacy mode, check permissions, or push the policy domain-wide.
  • Legacy Mode Fallback: On systems without Advanced Audit Policy, use: Computer Configuration → Windows Settings → Security Settings → Local Policies → Audit Policy. Turn on Audit directory service access and Audit object access here, but expect fewer details.
  • Permissions Check: Make sure your account has Read access to the Security tab and the Manage auditing and security log user right (set via secpol.msc → Local Policies → User Rights Assignment).
  • Centralized Auditing: For full domain coverage, set the policy in Group Policy Management Console (gpmc.msc). Link it to the Default Domain Controllers GPO or a custom GPO. Drill down to: Computer Configuration → Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → DS Access.

Do I need to enable anything else?

Yes—turn on both success and failure audits for Audit Credential Validation and Audit Directory Service Access to catch everything.

What events should I watch for?

Keep an eye on Event ID 4662 for directory access and 4776 for credential checks.

How do I know if it’s working?

Check Event Viewer under Windows Logs → Security for the expected Event IDs after you force a policy update.

What about older Windows versions?

Older setups rely on Basic Audit Policy under Local Policies → Audit Policy, but the logs are far less detailed.

Can I set this up across my whole domain?

Absolutely—link the policy in Group Policy Management Console to the Default Domain Controllers GPO or a custom GPO for domain-wide auditing.

Is there a way to reduce log noise?

Filter events, cap log sizes, and schedule reviews to keep only what matters.

Audit policies create extra overhead, so stay lean:

Action Recommendation
Filter Events In Event Viewer, build a Custom View that only shows key Event IDs (for example, 4662 or 4771 for failed logons).
Set Log Size Adjust log retention in Event Viewer → Properties → Log Size. Aim for 1GB on domain controllers; older logs auto-archive.
Schedule Reviews Run a weekly PowerShell script to export Security logs to a SIEM or archive: Get-WinEvent -LogName Security -MaxEvents 1000 | Export-Csv -Path C:\audit\weekly_logs.csv
Test Before Deploying Flip the switch on a test OU or file server first. Use dsacls to mimic access: dsacls "CN=TestUser,OU=TestOU,DC=domain,DC=com" /view

Heads-up: Basic Audit Policy (pre-Windows 10/Server 2016) is too coarse. Move to Advanced Audit Policy for real visibility Microsoft Docs.

What’s the bare minimum to get started?

At minimum, enable Audit Directory Service Access and Audit Credential Validation in Advanced Audit Policy Configuration.

Any common mistakes to avoid?

Don’t skip testing, forget to force the policy update, or rely solely on failure events.

(Honestly, half the time admins miss the gpupdate /force step and wonder why nothing logs.)

Where can I check the official docs?

Microsoft’s command-line reference covers the latest policy options here.
Ryan Foster
Author

Ryan Foster is a networking and cybersecurity writer with 12 years of experience as a network engineer. He's configured more routers than he can count and firmly believes that 90% of internet problems are DNS-related. He lives in Austin, TX.

Related Articles

What Does Application Incomplete Mean On Palo Alto?
Apr 7, 2026
What Is Citrix And Why It Is Used?
Apr 4, 2026
What Is DoD Compliance?
Apr 4, 2026
How Do You Anonymously Report Someone For Drugs?
Apr 3, 2026
How Do I Uninstall Web Crawler?
Apr 2, 2026
What Does 999 Mean For Cops?
Mar 26, 2026
How Do I Wirelessly Charge My Phone?