Here are the steps to set up Active Directory auditing:
- Enable Advanced Auditing
Go to Server Manager > Tools > Group Policy Management > Forest > Domains > DomainName > Default Domain Policy > expand Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration - Create an audit policy
Create a new policy with the settings to monitor the Active Directory objects and services. - Set up the audit logging
Enable the advanced audit logging in the Control Panel > Administrative Tools > Local Security Policy > Local Policies > Audit Policy > Audit logon events. Ensure the 'Audit account logon events' is checked. - Define a security filter
Set the security filter in the Default Domain Policy on each domain controller to control the individual objects that will be tracked in the Active Directory. - Configure the Domain Controller auditing
Configure the audit policy in the Default Domain Controller Policy on each domain controller to track authentication failure, account accesses, logon success/failure, and others.
