Get Active Directory data
The Content Pack for Windows Dashboards and Reports provides visibility into the health and performance of your Microsoft Windows Server and Active Directory environments. You can change the Active Directory audit policy to allow the domain controllers to generate events and logs for the dashboards and reports in the content pack.
Active Directory audit policy
By default, Active Directory does not automatically audit certain security events. You must enable auditing of these events so that your domain controllers log them into the Security event log channel.
Perform the following high-level steps to enable security event auditing:
- Create a Group Policy Object (GPO). You can combine both the PowerShell and audit settings into a single GPO. Create and deploy these GPOs separately from other GPOs.
- Deploy that GPO to all domain controllers (DCs) in your Active Directory environment.
- Once you activate the GPO, your DCs log these security events into the Security event log.
- Install universal forwarders (as deployment clients) to the domain controllers and deploy the appropriate Active Directory add-ons into those clients.
- The universal forwarders collect the logs and forward them to the central Content Pack for Windows Dashboards and Reports indexers.
Potential impact of security event auditing and indexing volume
When you enable auditing of the Security Event Log on your domain controllers, the domain controllers (DCs) generate a large volume of data. The security events data significantly increases indexing volume and can cause indexing license violations. You can experience decreased performance on your domain controllers based on the volume of additional data the servers generate.
If you are concerned about the impact of enabling security event auditing, you can adjust policy settings to only generate the data you deem valuable. If you choose to disable any policy settings, this will impact the amount of data sent to the content pack.
Refer to the following table to learn which policy settings generate which event types, and how the Content Pack for Windows Dashboards and Reports uses those events to populate its dashboards, reports, and lookups:
This is not an all-inclusive list. The app correlates some lookups across various policy settings, as multiple events often derive a single knowledge object. Failure to enable all of the policy settings might cause the content pack to display incomplete or incorrect knowledge objects on the dashboards and reports.
Policy setting | Required | Uses by the content pack |
---|---|---|
Audit Account Logon Events | Yes |
Administrator Audit dashboards |
Audit Account Management | No |
Administrator Audit dashboards |
Audit Logon Events | No |
Administrator Audit dashboards |
Audit Object Access | No |
Administrator Audit dashboards |
Audit Policy Change | No |
Security > Reports > Group Policy Reports |
Audit System Events | No | Directory Services replication events |
Advanced Audit Policy settings
You can use the Advanced Audit Policy (AAP) configuration settings to control which events your domain controllers send to the content pack.
If you need more granularity in the types of audit events you want generated, review the eventtypes.conf file for the event codes that the app looks for. With this event code information, you can create a GPO that enables AAP and generates audit events for only the event codes you specify.
When you enable AAP, Windows disables configurations for standard Audit Policy.
Enable auditing on Windows server
Refer to the following sets of steps to create a new GPO, edit the GPO audit policy, and deploy the GPO.
Create a new GPO
Perform the following steps to create a new Group Policy Object (GPO):
- From the Windows Start menu, click Start > Administrative Tools > Group Policy Management.
- In the left pane, under Group Policy Management, expand the forest and domain for which you want to set group policy.
- Right-click Group Policy objects and select New.
- In the dialog window that opens, enter a unique name for your new GPO that you will remember in the Name field, and select None for the Source Starter GPO field.
Edit the GPO
Perform the following steps to change the audit policy:
- Open the GPO for editing by right-clicking the newly created GPO In the Group Policy Objects window and selecting Edit.
- In the GPO editor, select Computer Configuration > Policies > Windows Settings > Security Settings > Local Policy > Audit Policy.
- Enable both Success and Failure auditing of the following policy settings:
- Audit account logon events
- Audit account management
- Audit directory service access
- Audit logon events
- Audit object access
- Audit policy change
- Audit privilege use
- Audit system events
- Close the Group Policy Object Editor window to save your changes.
Deploy the GPO
Perform the following steps to deploy the GPO:
- In Group Policy Management, in the left pane of the window, right-click on the Domain Controllers item and click Link an existing GPO.
- In the window that appears, select the GPO you created.
- Click OK. The GPMC refreshes to show that your GPO is now linked to the Domain Controllers organizational unit.
Get Windows server data | Troubleshoot the Content Pack for Windows Dashboards and Reports |
This documentation applies to the following versions of Content Pack for Windows Dashboards and Reports: 1.2.0, 1.2.1, 1.2.2, 1.3.0
Feedback submitted, thanks!