Check domain controllers audit configuration with this PowerShell script

Auditing helps you collect activities performed by different components of an Active Directory domain controller. Microsoft provides auditing configuration for domain controllers to help Active Directory administrators audit events such as Active Directory replication events, Active Directory configuration events, Active Directory changes events, and other events that a domain controller would perform. While Active Directory provides the capabilities to audit events, audit configuration must be enabled on the domain controllers. Another important item, as part of your Active Directory health check, is to ensure the audit configuration is consistent on all domain controllers in an Active Directory forest. For example, if you are auditing Directory Services Access, you must ensure that all domain controllers have Directory Service Access auditing enabled. Inconsistent audit configuration would lead to confusion. You may also not be able to troubleshoot an issue if a particular auditing category is not enabled on a domain controller.

Why enable auditing on domain controllers?

There are several reasons as to why you should enable auditing on domain controllers. One of the reasons is to maintain a record of activities performed by the domain controllers in case you need to investigate an issue. Another reason would be to keep auditing events generated by domain controllers for compliance and security reasons. Finally, if you plan to implement an event collector product that collects events from domain controllers and stores in a central location, you will be required to enable audit configuration on the domain controllers.

Four types of audit configuration for domain controllers

There are four types of audit configuration available for an Active Directory domain controller as listed below:

  • Directory Service Access: Allows you to audit directory service audits low-level changes to objects in Active Directory. For example, by enabling Directory Service Access, you can identify which fields of a user or computer account were accessed. The Directory Service Access setting must be enabled for compliance and security purposes.
  • Directory Service Changes: Directory Service Changes auditing determines whether the domain controller generates audit events when changes are made to users, computers, or any active directory objects in Active Directory. Enabling Directory Service Changes auditing can provide information about the old and new properties of the objects that were changed.
  • Directory Service Replication: Directory Service Replication auditing determines whether the domain controller generates audit events when replication between two domain controllers begins.
  • Detailed Directory Service Replication: Detailed Directory Service Replication determines whether the domain controller generates audit events that contain detailed tracking information about replication data.

Which auditing configuration should you enable on domain controllers?

There are four types of audit configuration settings that can be enabled on domain controllers as explained in the earlier section of this article, but not necessarily you need to enable all audit configuration settings on domain controllers. For example, enabling Directory Service Replication audit configuration setting makes no sense in a large production environment. It is because a large production environment might see more changes to occur in Active Directory causing more changes to be replicated, which, in turn, might fill the event logs if Directory Service Replication auditing is enabled. Similarly, enabling Detailed Directory Service Replication would cause detailed replication data to be logged. Thus, it is recommended that you enable Directory Service Access and Directory Service Changes audit configuration to be able to track changes made by Active Directory administrators and it is also required for compliance purposes.

How do you check audit configuration?

A PowerShell script can be handy to check auditing configuration on domain controllers, but it is important to understand that Microsoft PowerShell modules do not provide any cmdlets to check the auditing configuration on domain controllers. Instead, you must use AuditPol.exe. While it sounds a bit freaky, there is indeed no PowerShell cmdlet available to check audit configuration on domain controllers!

Checking auditing configuration on a single domain controller

AuditPol.exe provides several parameters through which you can check different parts of the auditing configuration. However, to check audit configuration on a single domain controller and see what all auditing categories are enabled, execute below command:

Auditpol /get /Category:* /r

As you can see in the output above generated by the above command, it shows category being audited and current setting that is configured for auditing on a particular auditing category. “No auditing” means that a particular category is not being audited. Since AuditPol.exe output is in CSV, you can use a redirector in the command above to store the output in a CSV file as it shows in the command below:

Auditpol /get /Category:* /r > C:\Temp\AuditOutput.CSV

Note that the above command fetches audit configuration on the local computer. So if you are trying to get an audit configuration for a particular domain controller, you will be required to log on to that domain controller and then run the command above.

Checking auditing configuration on a remote domain controller

If you would like to get a list of audit categories from a remote domain controller, you will have to execute AuditPol command remotely using “Invoke-Command” PowerShell method. Unfortunately, AuditPol.exe does not ship with a parameter that can be used to specify a computer name as most of the PowerShell cmdlets do. To get a list of audit categories from a remote domain controller, you will execute below command:

$ItemName = “DC1.TechGenix.com”
$AuditStatus = Invoke-Command -ComputerName $ItemName -Script { auditpol.exe /get /Category:* /r

As you can see in the command above, I am using “Invoke-Command” PowerShell cmdlet, which supports executing a command on a remote computer specified in -ComputerName parameter. You need to replace “DC1.TechGenix.com” with the name of the domain controller before executing the command. The command connects to the target domain controller and lists the categories in the PowerShell window on the local computer.

Collecting auditing configuration from all domain controllers and generating a report

If you need to collect audit configuration from all domain controllers in an Active Directory forest to ensure audit configuration is consistent across all domain controllers. The PowerShell script below can be executed to collect audit configuration and generate a report in CSV format.

$GDCList="C:\Temp\DCList.CSV"
$TestCSVFile ="C:\Temp\AuditReport.CSV"
Remove-Item $TestCSVFile
$UniqueTest = "RC"
$CurrentLoc="C:\Temp"
$STR = "Domain Controller, Directory Service Access, Directory Service Changes, Directory Service Replication, Detailed Directory Service Replication"
Add-Content $TestCSVFile $STR
$TotNo=0
$ItemCount=0
$TestText = "Please check result"
$TestStatus="Completed"
$SumVal = "NA"
$AnyGap = "No"
Foreach ($ItemName in Get-Content "$GDCList")
{
$IntOnOrNot = ""
Remove-item $DataFileLocation -ErrorAction SilentlyContinue
$Error.Clear()
$AuditStatus = Invoke-Command -ComputerName $ItemName -Script { exe /get /Category:* /r }
IF ($Error.Count -eq 0)
{
$AuditStatus > $DataFileLocation
$CSV = Import-CSV $DataFileLocation
ForEach ($Item in $CSV)
{
$MName = $Item.Subcategory
$IncSet = $Item.'Inclusion Setting'
IF ($MName -eq "Directory Service Access")
{
$DirSuccessOrNot = "Enabled"
IF ($IncSet -eq "No Auditing")
{
$DirSuccessOrNot = "Not Enabled"
}
}
IF ($MName -eq "Directory Service Changes")
{
$DirChangesOrNot = "Enabled"
IF ($IncSet -eq "No Auditing")
{
$DirChangesOrNot = "Not Enabled"
}
}
IF ($MName -eq "Directory Service Replication")
{
$DirReplOrNot = "Enabled"
IF ($IncSet -eq "No Auditing")
{
$DirReplOrNot = "Not Enabled"
}
}
IF ($MName -eq "Detailed Directory Service Replication")
{
$DirReplDOrNot = "Enabled"
IF ($IncSet -eq "No Auditing")
{
$DirReplDOrNot = "Not Enabled"
}
}
}
$STR = $ItemName+","+$DirSuccessOrNot+","+$DirChangesOrNot+","+$DirReplOrNot+","+$DirReplDOrNot
Add-Content $TestCSVFile $STR
}
else
{
$STR = $ItemName+", ERROR: NOT Reachable"
Add-Content $TestCSVFile $STR
}
}
$AnyGap = "Yes"
IF ($AnyGap -eq "Yes")
{
$TestText = "Please check Domain Controller Auditing result."
$SumVal = ""
$TestStatus="High"
}
else
{
$TestText = " "
$SumVal = ""
$TestStatus="Passed"
}

Once the PowerShell script has finished executing you can see a report under “C:\Temp\AuditReport.CSV,” which contains the name of the Group Policy Object, message and the domain to which GPO belongs to. This is also shown in the screenshot below:

domain controllers audit configuration

By looking at the output generated by the script you can easily identify the domain controllers that do not some part of the auditing enabled. As you can notice, DC3.TechGenix.com do not have auditing enabled for “Directory Service Access,” “Directory Service Changes,” “Directory Service Replication,” and “Detailed Directory Service Replication.” Similarly, DC4.TechGenix.com does not have auditing enabled for “Directory Service Changes” and “Detailed Directory Service Replication.” This inconsistency may lead to confusion if you are looking for a particular event on a domain controller where the corresponding auditing is not enabled.

The PowerShell script was obtained from “Active Directory Domain Controller Auditing Health Check Test” Dynamic Pack from DynamicPacks IT Health Profiler. DynamicPacks IT Health Profiler is capable of reporting health on several components of Active Directory. To get audit configuration for all domain controllers by using DynamicPacks IT Health Profiler, execute the “Domain Controller DS Audit Policy” Dynamic Pack as shown in the screenshot below:

Once you have executed the Dynamic Pack, you can go to “Summary Window” to see the audit configuration settings for all domain controllers.

Featured image: Shutterstock

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top