Active Directory Audit Policy Configuration Guide
This guide covers the Windows Advanced Audit Policy settings required for SlashID to monitor your Active Directory environment. These settings control which security events Windows generates and are configured via Computer Configuration → Windows Settings → Security Settings → Advanced Audit Policy Configuration in Group Policy.
Logon/Logoff → Audit Logon
Required setting: Success and Failure
| Event ID | Description | Success/Failure | Logged on |
|---|---|---|---|
| 4624 | Successful logon | Success | Machine receiving the logon (DC for Kerberos, target for NTLM) |
| 4625 | Failed logon | Failure | Machine receiving the logon attempt |
| 4634 | Account logoff | Success | Machine where session existed |
| 4648 | Explicit credential logon (runas) | Success | Source machine where explicit credentials were used (not the DC or target) ⚠️ |
⚠️ 4648 collection is optional but recommended. This event is logged on the machine that initiated the outbound authentication, not on the DC or target. It is only available if log forwarding includes non-DC source machines. DC-only collection environments will not produce these events. If available, 4648 events provide additional visibility into explicit credential use such as runas or
net usewith alternate credentials.
Logon/Logoff → Audit Special Logon
Required setting: Success
| Event ID | Description | Success/Failure | Logged on |
|---|---|---|---|
| 4672 | Special privileges assigned to new logon | Success | Machine where the privileged logon occurred |
Account Logon → Audit Credential Validation
Required setting: Success and Failure
| Event ID | Description | Success/Failure | Logged on |
|---|---|---|---|
| 4776 | NTLM credential validation | Success and Failure | Machine that validated the credentials (DC for domain accounts) |
Account Logon → Audit Kerberos Authentication Service
Required setting: Success and Failure
| Event ID | Description | Success/Failure | Logged on |
|---|---|---|---|
| 4768 | Kerberos TGT requested | Success and Failure | Domain controller |
Account Logon → Audit Kerberos Service Ticket Operations
Required setting: Success and Failure
| Event ID | Description | Success/Failure | Logged on |
|---|---|---|---|
| 4769 | Kerberos service ticket (TGS) requested | Success and Failure | Domain controller |
DS Access → Audit Directory Service Access
Required setting: Success
| Event ID | Description | Success/Failure | Logged on |
|---|---|---|---|
| 4662 | Operation performed on a directory object | Success | Domain controller |
Note: 4662 also requires a SACL (System Access Control List) on the specific AD objects to be audited. The audit policy alone is not sufficient — the relevant objects must have auditing entries configured in their security descriptors (e.g., via the Security tab in AD Users and Computers → Advanced → Auditing).
Account Management → Audit Security Group Management
Required setting: Success
| Event ID | Description | Success/Failure | Logged on |
|---|---|---|---|
| 4728 | Member added to a security-enabled global group | Success | Domain controller |
Events Not Covered by Security Audit Policy
The following events are written to the Directory Service log rather than the Security log and are not controlled by audit policy settings.
| Event ID | Description | Log | Notes |
|---|---|---|---|
| 2887 | LDAP insecure binding summary (24h) | Directory Service | Logged automatically on DCs with the AD DS role. If not appearing, ensure LDAP diagnostics logging level is ≥ 2. |
| 2889 | Individual LDAP insecure bind attempt | Directory Service | Requires the 16 LDAP Interface Events diagnostics registry value set to ≥ 2. |
Important: Your log forwarding configuration must include the Directory Service log in addition to the Security log for these events to reach SlashID.
Summary
Required Audit Policies
| Audit Subcategory | Required Setting | Scope |
|---|---|---|
| Audit Logon | Success and Failure | Domain controllers (required); member servers (recommended) |
| Audit Special Logon | Success | Domain controllers (required); member servers (recommended) |
| Audit Credential Validation | Success and Failure | Domain controllers |
| Audit Kerberos Authentication Service | Success and Failure | Domain controllers |
| Audit Kerberos Service Ticket Operations | Success and Failure | Domain controllers |
| Audit Directory Service Access | Success | Domain controllers |
| Audit Security Group Management | Success | Domain controllers |
Minimum vs Recommended Collection Scope
Minimum (DC-only): Forwarding Security and Directory Service logs from domain controllers provides coverage for Kerberos authentication, NTLM credential validation (4776), group changes, directory access, and LDAP security events. This is sufficient for core functionality.
Recommended (DCs + member servers): Additionally forwarding logs from member servers provides visibility into NTLM logon events (4624/4625), explicit credential usage (4648), and privileged logon activity (4672) on those machines. This improves coverage for lateral movement and credential misuse scenarios.
Quick Verification
Run on a target machine to verify the audit policy is correctly applied:
auditpol /get /subcategory:"Logon","Special Logon","Credential Validation","Kerberos Authentication Service","Kerberos Service Ticket Operations","Directory Service Access","Security Group Management"
Important Notes
- Advanced audit policies override legacy policies. If both are configured via GPO, the advanced policy settings take effect and legacy settings are silently ignored. Ensure you are not mixing legacy and advanced audit policy settings.
- Event forwarding scope matters. Several events under Audit Logon (4624, 4625, 4634, 4648) and Audit Special Logon (4672) are logged on the machine directly involved in the authentication, not the DC. If only DC logs are forwarded, NTLM-based logon events on member servers will not be collected. NTLM credential validation (4776) on the DC provides an alternative signal for NTLM activity in DC-only environments.
- 4648 requires source machine forwarding. Unlike other logon events, 4648 is logged on the machine that initiated the explicit credential use. It will only appear in DC-only collection if someone uses explicit credentials directly on a domain controller.
- GPO propagation timing. Group Policy refreshes approximately every 90 minutes with a random offset of up to 30 minutes. Use
gpupdate /forceon specific machines to apply changes immediately for testing. - Log volume considerations. Enabling failure auditing (particularly for Audit Logon) can significantly increase log volume on busy servers, especially if there are service accounts with misconfigured credentials. Monitor log volume after enabling these settings.