Audit SAM User Events in Windows 2012 R2

TL;DR

This guide shows you how to enable auditing for specific events related to user accounts (SAM users) in Active Directory on a Windows Server 2012 R2 domain controller. This helps track changes and potential security issues.

Auditing SAM User Events in Windows 2012 R2

1. Open Group Policy Management

On your domain controller, open Server Manager. Go to Tools → Group Policy Management.

2. Edit the Default Domain Controllers Policy

In the Group Policy Management console, expand Forest: yourdomain.com → Domains: yourdomain.com and right-click on Default Domain Controllers Policy. Select Edit.

3. Navigate to Audit Settings

In the Group Policy Management Editor, go to Computer Configuration → Windows Settings → Security Settings → Local Policies → Audit Policy.

4. Configure Audit Object Access

Double-click on Audit object access. Configure the following:

• Success: Check this box to audit successful accesses.
• Failure: Check this box to audit failed accesses. This is important for detecting unauthorized attempts.
• Click Advanced.
5. Configure Advanced Audit Object Access Settings

In the Advanced Security Settings window:

• Click Add.
• Enter SAM Compatible Name in the Select Principal box and click Find Now. Select the user account you want to audit (or leave it blank for all users). Click OK.
• In the Access this object section, select All Access from the dropdown menu.
• Under Apply auditing to, check the following event types:
  • Create: Audits when a new user account is created.
  • Delete: Audits when a user account is deleted.
  • Change permissions: Audits changes to user account permissions.
  • Set attributes: Audits changes to user account properties (e.g., password, address).
• Click OK twice to save the settings.
6. Configure Audit Directory Service Access

Double-click on Audit directory service access. Configure the following:

• Success: Check this box to audit successful accesses.
• Failure: Check this box to audit failed accesses.
• Click Advanced.
7. Configure Advanced Audit Directory Service Access Settings

In the Advanced Security Settings window:

• Click Add.
• Enter SAM Compatible Name in the Select Principal box and click Find Now. Select the user account you want to audit (or leave it blank for all users). Click OK.
• Under Apply auditing to, check the following event types:
  • Read: Audits when a user’s attributes are read.
  • Write: Audits when a user’s attributes are modified.
• Click OK twice to save the settings.
8. Update Group Policy

Open Command Prompt as an administrator and run:

gpupdate /force

This forces a refresh of the group policy on all domain controllers.

9. View Audit Logs

The audit logs are stored in the Security event log. Open Event Viewer (Control Panel → Administrative Tools → Event Viewer) and navigate to Windows Logs → Security.

Filter the Security log by Event IDs related to object access or directory service access. Common Event IDs include:

• 4657: A user account was created.
• 4658: A user account was deleted.
• 4662: User account was enabled/disabled.
• 4663: An attempt to change an account’s attributes was made.