Alert icon Keyboard navigation enabled.
Alert icon TAB or Shift+TAB to navigate across. Down ↓ to open menu. ESC to close menu.
Alert icon Down ↓ to select section. Right → to activate. Up ↑ / Down ↓ / Tab to traverse all. ESC to exit.
BeyondTrust
Skip to content Use space or enter to skip.

What can we help you find today?

Instant Results
  • Website Results
  • Technical Documentation

Filter Options

Focus your search

Filtering by

Your recent searches:

Contact Us Chat with Sales Get Support
  • English
  • Deutsch
  • français
  • español
  • 한국어
  • português
  • Home
  • Resources
  • Blog
  • Active Directory Auditing: Time-Saving Techniques to Get You on the Right Track current page
Link copied

Active Directory Auditing: Time-Saving Techniques to Get You on the Right Track

Oct 27, 2016
Author:
Kevin Sullivan
former Group Policy MVP and Configuration Management Expert
Blog banner default
Active Directory Auditing: Time-Saving Techniques to Get You on the Right Track
Kevin Sullivan
former Group Policy MVP and Configuration Management Expert

Active Directory Auditing

Recently, I hosted a webinar Active Directory Auditing: Time-Saving Techniques to Get You on the Right Track, Fast. In this blog I am going to share some resources that were discussed during the webinar. Although auditing Active Directory (AD) and Group Policy (GP) has not changed a whole lot since Server 2008, there are additional resources and some old standards that require reminders from time to time.

The topics discussed in the webinar were around core techniques and challenges of auditing AD and GP, changes over the years, and some PowerShell techniques to add to our tool box. Here are some resources to explore…

Microsoft Protocol Documentation

When embarking on an auditing effort or doing any kind of forensics, having a deep understanding of how a particular technology works is important. Staring at a massive pile of events around technologies can cause your head to hurt. But, knowing what you are looking for essentially causes the needle in the haystack to grow exponentially.

The details of Microsoft technologies are documented in Protocol Documents you can find on MSDN. These documents, often referred to as Technical Specifications, were the outcome of an incredibly large effort on the part of the engineering teams at Microsoft. All traffic that traverses a wire is documented in the specifications and the level of detail is just incredible. Here are a few for Active Directory, GP Auditing, Core GP and GP Security:

    • MS-ADTS - https://msdn.microsoft.com/en-us/library/cc223122.aspx
    • MS-GPAC - https://msdn.microsoft.com/en-us/library/dd973843.aspx
    • MS-GPOL - https://msdn.microsoft.com/en-us/library/cc232478.aspx
    • MS-GPSB - https://msdn.microsoft.com/en-us/library/cc232743.aspx

Microsoft Auditing Time – Great for Audit Planning

Check out the paper from Microsoft that goes through, in excruciating detail, audit categories and details around audit events in Windows 10 and Windows Server 2016. The information is relevant to previous versions of the OS as well. It is only 730+ pages, so some light reading while eating lunch! I’m finding it a great reference for whenever I am in a discussion around Audit planning for an organization. One key to successful auditing is to only collect what you need and what you will actually consume. Some super chatty audit categories exist and will just clog up your logs while providing little to no value.

Auditing Group Policy

There are a few areas of GP Auditing that present challenges. There are also some very interesting GP-related security implications that are worth exploring. Understanding implications around GPO Discoverability, or the ability to use GP data to locate systems where individual users have rights, was a topic of discussion at this year’s Blackhat conference. My colleague Darren, GP MVP and founder of SDM Software, put up an interesting few blog posts recently that are worth exploring. Check out some of these posts around ‘Security fun with Bloodhound’, ‘Changes in GP Processing Behavior’ and an overview of ‘GP Permissions’.

One of my favorite GP-related resources for troubleshooting and auditing has been around for a long time. This paper explores the formulaic approach of events and categories of those events, specifically related to Group Policy. If you work quite a bit in Group Policy and want to control your auditing only to those events that are relevant it’s an important resource.

AD forensics, PowerShell and a MS Blog to Watch

The last resource is really a plug for someone else. Ashley McGlone (goateePFE) is one of those people that are full of information, are entertaining and practical. The information that he shares on his blog is some of the best. The sessions that he delivered for the Microsoft Virtual Academy are just great. So full of information that you may find yourself finding a specific module (module 7 for AD forensics) and watch it over and over.

Summary

Auditing and performing some type of forensic analysis on Active Directory and Group Policy is a challenging prospect. It is not impossible, and with some commitment to learning it becomes quite easy and intuitive. Spend the time exploring some of these resources and build up your inherent skills and knowledge in the area – it will be a huge benefit. The sheer complexity of the architecture, and the huge body of data that can be generated through auditing is why so many great software solutions have sprung up in the ISV community over the years. Knowledge is great, but having the right tools to be efficient is also critical.

If you didn't catch my webinar live, you can watch it now - Active Directory Auditing: Time-Saving Techniques to Get You on the Right Track, Fast.

Latest Posts
  • Hooked on Identity (Part 2): Abusing OAuth Trust Boundaries in Okta
    Jun 12, 2026 Hooked on Identity (Part 2): Abusing OAuth Trust Boundaries in Okta
    Blog
    7m
  • Hooked on Identity: Abusing SAML Assertion Inline Hooks in Okta
    Jun 9, 2026 Hooked on Identity: Abusing SAML Assertion Inline Hooks in Okta
    Blog
    6m
  • Joining Project Glasswing: Securing the Privilege Backbone of the AI Era
    Jun 8, 2026 Joining Project Glasswing: Securing the Privilege Backbone of the AI Era
    Blog
    5m
  • The Most Common & Most Dangerous Types of Shadow IT
    Jun 5, 2026 The Most Common & Most Dangerous Types of Shadow IT
    Blog
    19m
  • 14 Password Management Best Practices
    May 28, 2026 14 Password Management Best Practices
    Blog
    12m
Related
  • Securely Support Employees & Customers From Any Web Browser On Any Computer with Bomgar Web Representative Console
    Jul 7, 2017 Securely Support Employees & Customers From Any Web Browser On Any Computer with Bomgar Web Representative Console
    Blog
    1m
  • How to Audit VMware ESX and ESXi Servers Against the VMware Hardening Guidelines with Retina CS
    Feb 27, 2015 How to Audit VMware ESX and ESXi Servers Against the VMware Hardening Guidelines with Retina CS
    Blog
    1m
Share this Article
  • Link
Stay up to Date
Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

Keep up with BeyondTrust

Customer Support Get Started
  • LinkedIn
  • X
  • Facebook
  • Instagram
  • Add BeyondTrust as a preferred source on Google
  • Privacy
  • Security
  • Manage Cookies
  • Do Not Sell My Data
  • WEEE Compliance

Copyright © 2003 — 2026 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

Prefers reduced motion setting detected. Animations will now be reduced as a result.