How to Check Active Directory (AD) Event Logs

Active Directory (AD) event logs play a vital role in keeping an eye on and troubleshooting directory services. They offer valuable insights into authentication events, replication problems, group policy updates and other activities related to AD.

This guide will walk you through the process of viewing AD event logs using the built-in tools in Windows and PowerShell.

Why View AD Event Logs?

1. Monitor Authentication Attempts: Spot failed login attempts and potential security risks.
2. Track Changes in AD: Keep an eye on modifications to AD objects like users, groups, and policies.
3. Troubleshoot Replication Issues: Make sure AD is syncing properly across domain controllers.
4. Enhance Security: Quickly identify and respond to unauthorized changes or attacks.

Steps to View AD Event Logs

Using Event Viewer

1. Using Event Viewer Open Event Viewer:
   • Press Win + R, type eventvwr and hit Enter.
2.  Navigate to Active Directory Logs:
   • Expand Applications and Services Logs in the left pane.
   • Go to Microsoft > Windows > Active Directory Domain Services and click on Directory Service.
3.  Filter Relevant Events:
   
   • Right-click the Directory Service log, then choose Filter Current Log from the menu.
   • Use event IDs to narrow down your search (for example, replication issues: 1084, account changes: 4720-4726).
4. Analyze Log Entries:
   • Take a close look at the log details to pinpoint events, such as replication errors or authentication problems.

Using PowerShell

1. View Logs with PowerShell Commands:
   • To get started, open PowerShell and run these commands to pull up your Active Directory logs:

   • Get-WinEvent -LogName "Directory Service" 

2. Filter Specific Event IDs:
   • To filter for specific events, you can use the -FilterHashtable parameter as shown

   • Get-WinEvent -FilterHashtable @{LogName="Directory Service"; ID=1084} 

3. Export Logs for Analysis:
   • To save the logs for later review, you can export them to a file:

   • Get-WinEvent -LogName "Directory Service" | Export-Csv "C:\\AD_Logs.csv" 

Common Event IDs in Active Directory

• 4720-4726: Events related to user account management (like creation, deletion or modification).
• 5136: Modifications to directory service objects.
• 1084: Issues with AD replication.
• 4624-4625: Successful and failed login attempts.
• 4670: Changes in permissions on an object.

Best Practices for Viewing AD Event Logs

1. Regular Monitoring: Set up routine checks to catch issues early on.
2. Automate Log Analysis: Use PowerShell scripts to streamline the collection and filtering of logs.
3. Use SIEM Tools: Connect your logs with Security Information and Event Management (SIEM) solutions for centralized oversight.
4. Archive Old Logs: Make it a habit to export and store logs periodically for compliance and auditing.

Active Directory event logs provide invaluable insight about the health and security of your domain. By using tools like Event Viewer and PowerShell, administrators can effectively monitor, analyze and troubleshoot issues within the AD environment. Regularly checking these logs is key to maintain a secure and well-functioning network.