In the previous article you have learnt how to enable Audit Kerberos service ticket operations for domain member computer. In this article you will learn step by step process to enable Removal Storage Audit which will allows you to audit all attempt done by user to access the removal storage device. Many security logs are required during forensic or threat tracking within the organization. Audit log of the removal devices are also crucial for the same purpose.
Create a group policy object under the “Group Policy Objects” in your domain controller within the Group Policy management blade.
Right click on policy you have just created and go to Edit Option
Once you entered in Edit option there will be multiple option to configure users and computers.
Go to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> Audit Policies -> Object Access -> Audit Removal Storage
Double click on “Audit Removal Storage” and check on “Configure the following audit events“. check both success and failure.
check the state change from unconfigured to success and failure
state is changed as per the requirement, now its time to apply the created group policy object to desired OU.
Right click on OU and go to link an existing GPO option. select your GPO and click on OK
Congratulations!! your GPO has been applied to selected OU. the policy will make changes according to the configuration to all the computer are under the computer list OU. run gpupdate on your domain controller and after few minutes policy will be applied to your computers.
to verify the GPO if applied or not. go to your computer run the below command with privileged user,
gpupdate /r /scope computerafter running the above command, Under the Applied Group Policy Objects. you will be able to see your group policy name that you have recently linked.
You are at end of this article and here you have learn how to enable audit removal storage for domain members. In the next article you will learn how to Audit user account management using group policy for the member computers.
