An Easy Way to Create a Global Audit Policy

By leveraging a Windows feature called Global Object Access Auditing, you can create a global audit policy that will automatically log an event anytime an administrator changes the system registry on a domain controller.

Jan De Clercq

July 11, 2013

2 Min Read
An Easy Way to Create a Global Audit Policy

Q: What's the easiest way to create a global audit policy that will automatically log events for all administrator changes to the system registry on all the domain controllers (DCs) in a Windows domain?

A: To set up a global audit policy, you can leverage a Windows feature called Global Object Access Auditing, which Microsoft introduced in Windows Server 2008 R2. A global object access audit policy can be used to enforce an object access audit policy for a file system or registry folder, without having to configure and propagate conventional system ACL (SACL) settings on each individual machine. You can find a good introduction to this feature on TechNet's Global Object Access Auditing page.

To configure, apply, and validate a global object access audit policy for administrator changes to the system registry on your DCs, follow these steps:

  1. Log on to your domain as a member of the local Administrators group and start the Group Policy Management Console (GPMC).

  2. In the console tree, navigate to DomainsGroup Policy ObjectsDefault Domain Controllers Policy, where is the name of your domain. Right-click Default Domain Controllers Policy and click Edit.

  3. In the Group Policy Management Editor, navigate to the Computer ConfigurationPoliciesWindows SettingsSecurity SettingsAdvanced Audit Policy ConfigurationSystem Audit Policies container.

  4. Double-click Object Access, then double-click Audit Registry. Select the Configure the following audit events check box, select the Success and Failure check boxes, and click OK.

  5. Double-click Global Object Access Policies, then double-click Registry. Select the Define this policy setting check box and click Configure.

  6. In the Advanced Security Settings for Global Registry SACL box, click Add. Add all default administrator groups (e.g., Domain Admins, Enterprise Admins) to the list and other custom administrator groups that you've defined and want to audit.

  7. In the Auditing Entry for Global Registry SACL box, select the Successful or Failed activities (e.g., Create Subkey, Delete, Change Permissions, Read) for which you want to log audit entries.

  8. Click OK three times to complete the audit policy configuration.

  9. Apply the Group Policy Object (GPO) change. On each of your DCs, open a command prompt and run the command:

    gpupdate /force

 

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like