As we have seen previously, for successful auditing, we need to have SACL configured for the relevant AD objects. If there is no SACL entry, no events will be generated against that object. In order to configure SACL, we need domain admin or enterprise admin privileges. To add an SACL entry, perform the following steps:

1. Open Active Directory Users and Computers.
2. Click on View | Advanced Features.
3. Right-click on the OU or the object that you'd like to enable auditing for. Then click on Properties. In my example, I am using the root container as I wish to enable it globally.
4. Click on the Security tab and then on Advanced.

5. Click on the Auditing tab and then click on the Add button to add a new security principle to the SACL. In our scenario, I am using Everyone as I'd like to edit all.
6. As the Type, I have selected the Success event type. Also, I've applied it to This object and all descendant objects:

Once the SACL entries are in place, we can enable advanced audit policy configuration. In order to do that:

1. Go to Group Policy Management.
2. In the MMC, expand the Domain Controllers OU.
3. Right-click on Default Domain Controller Policy and select Edit.
4. Then navigate to Computer Configuration | Policies | Windows Settings | Security Settings | Advanced Audit Policy Configuration | Audit Policies.
5. In there, we can find all 10 audit categories. In this demo, we are only going to enable audit categories under DS Access.

6. Navigate to DS Access and double-click on the Subcategory entry. To enable auditing, select Configure the following audit events and then select the events you'd like to audit. It's recommended to audit both Success and Failure:

I have repeated the same configuration for the rest of the audit categories:

Once the group policy is applied successfully, it will start to log new events according to the audit policy.