A. You can configure Active Directory (AD) auditing to produce successful and failed entries in the Directory Service (DS) event log.
- Start the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in. (Select Programs, Administrative Tools, Active Directory Users and Computers from the Start menu.)
- From the View menu, select Advanced Features.
- Expand the domain, right-click the Domain Controllers container, and select Properties from the context menu.
- Select the Group Policy tab.
- Select Default Domain Controllers Policy, and click Edit.
- Expand the Computer Configuration branch, the Windows Settings branch, the Security Settings branch, and the Local Policies branch.
- Select Audit Policy.
- The rightmost window will show auditing levels. Double-click Audit Directory Service Access.
- Select the relevant checkboxes (e.g., Audit successful attempts, Audit failed attempts), as the Screen shows. Click OK.
Click here to view image
- Close the Group Policy window.
- In the main Domain Controllers Properties dialog box, click OK.
- Close the Active Directory Users and Computers MMC snap-in.
You can use Event Viewer to view the logs in the Security log. Because domain controllers poll for policy changes every 5 minutes, the policy change might take as long as 5 minutes to take effect. Other domain controllers in the enterprise receive the changes after the 5-minute interval, plus replication time.