Configuring 'Manage Auditing and Security Log' Policy

NOTE: Perform this procedure only if the account selected for data collection is not a member of the Domain Admins group.

  1. Open the Group Policy Management console on any domain controller in the target domain: navigate to Start Windows Administrative Tools (Windows Server 2016 and higher) or Administrative Tools (Windows 2012) Group Policy Management.

  2. In the left pane, navigate to Forest: <forest_name> Domains <domain_name> Domain Controllers. Right-click the effective domain controllers policy (by default, it is the Default Domain Controllers Policy), and select Edit from the pop-up menu.

  3. In the Group Policy Management Editor dialog, expand the Computer Configuration node on the left and navigate to Policies Windows Settings Security Settings Local Policies.
  4. On the right, double-click the User Rights Assignment policy.

  5. Locate the Manage auditing and security log policy and double-click it.

  6. In the Manage auditing and security log Properties dialog, click Add User or Group, specify the user that you want to define this policy for.
  7. Navigate to Start Run and type "cmd". Input the gpupdate /force command and press Enter. The group policy will be updated.

  8. Type repadmin /syncall command and press Enter for replicate GPO changes to other domain controllers.
  9. Ensure that new GPO settings applied on any audited domain controller.