To view Active Directory event logs to track changes, you can use the following steps:
- Open Event Viewer: First, open the Event Viewer console on a domain controller or a computer that has the Remote Server Administration Tools (RSAT) installed.
- Navigate to Security Logs: In the console, expand the “Windows Logs” node, and then click on “Security”. This will display the security event logs for the computer.
- Filter Event Logs: To view Active Directory-related security events, you can filter the event logs by clicking on the “Filter Current Log” link in the Actions pane on the right side of the console. In the “Filter Current Log” dialog box, you can specify criteria such as the event ID, source, or user account to filter the event logs.
- Check for Relevant Events: Look for events with event IDs that correspond to Active Directory changes that you are interested in tracking. For example, event ID 5136 indicates that a directory service object was modified, while event ID 4720 indicates that a user account was created.
- Review Event Details: Double-click on an event to view its details. The details of the event will include information such as the date and time of the event, the user account that performed the action, and the object that was affected.
By following these steps, you can view Active Directory event logs to track changes and identify potential security issues in your environment. It is important to regularly review the security event logs to ensure that your Active Directory environment is secure and that security events are being recorded properly.