Windows Event Forwarding for Active Directory Security Logs with DSC

In this post, I will be teaching you how to configure Windows Event Logs Forwarding for Active Directory Security Logs that are stored on Domain Controllers. This is a real world example of how to use DSC in your environments and showcases the benefits of using DSC. If you are not currently using some logging system, I highly encourage you take the lessons learned here and use them to build a simple logging solution. In a previous post, I walked through how to use LabBuilder to build the lab environment. With the lab ready to go, lets begin!

Add Collector node to Event Log Readers AD Group

Since Domain Controllers do not have local groups, you must add the collector node to the Event Log Readers AD Group. This allows the system to read the logs on the system. Below is the command to add it to the group with PowerShell, stay out of the GUIs my friends. There is also a command to verify the membership, issue that cmdlet just to verify it was added.

Configure Log Access Group Policy

Next you must modify the Log Access for the Domain Controllers security logs. By default they do not allow read access, for semi-obvious reasons. There are a few options here we could use the wecutil utility, but Group Policy still has it’s place and usefulness so that what I’ve chosen to do. Open the Group Policy Management Console and follow the steps outlined below. Sorry! I know I just said stay out of GUIs… Sidenote, what the configure log access value is doing is grant the Network Service Account read rights. It’s not opening it up for everyone.

  1. Open Group Policy Management Console [Start-Process $env:systemdrive:\windows\system32\gpmc.msc]
  2. Local the [Default Domain Controllers Policy]
  3. Right click Edit
  4. Navigate to Computer Management > Preferences > Administrative Template > Windows Component > Event Log Service > Security
  5. Double click Configure log access
  6. Select Enabled
  7. Enter O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;S-1-5-20) in the Log Access field
  8. Click OK


Enable Auditing on Domain Controllers

If it is not already configured enabling auditing on the Domain Controllers. This way all the changes are track and log to event viewer on the Domain Controllers and then forwarded to the collector node. Follow the below steps to enable some auditing.

  1. Open Group Policy Management Console [Start-Process $env:systemdrive:\windows\system32\gpmc.msc]
  2. Local the [Default Domain Controllers Policy]
  3. Right click Edit
  4. Navigate to Computer Management > Polices > Windows Settings > Security Settings > Local Polices > Audit Policy
  5. Double click Audit account logon events
  6. Check Define these policy settings
  7. Click Success
  8. Repeat steps 5-7 for the following policies; Aduit account management, Audit directory service access, Audit logon events, Audit object access, Audit policy change, Audit privilege use.


Restart Domain Controllers

Because the Group Policy that changes the security log access requires a reboot to apply, you’ll need to restart all the Domain Controllers. This made my change board uncomfortable…. 🙂 DO NOT RPD INTO THEM! PowerShell can of course do this better, the below commands will get all of the Domain Controllers within the domain executed and reboot them one by one waiting for the first to finish before the second is started.

Deploy xWindowsEventForwarding DSC Configuration to Collector Node

Now the fun begins! Next I’ll be deploying the DSC configuration that will create the subscriptions. These subscriptions are what defines what logs to gather from what sources. There are two options for a collector, collector initiated and source initiated. I’ll be setting up a collector initiated subscription. Lucky for me there was a custom DSC resource for this xWindowsEventForwarding. Ensure that is available on the collector node before executing the DSC configuration.

While this configuration is simple, it saves a lot of clicking. Also notice line 22, see how I’m gathering all the Domain Configuration names? Not typing them in one by one is how. Once the configuration is completed, you can view it in the Event Viewer GUI.

configuration Collector
Import-DscResource –ModuleName PSDesiredStateConfiguration
Import-DscResource ModuleName xWindowsEventForwarding
Windowsfeature RSATADPowerShell{
Ensure = ‘Present’
Name = ‘RSAT-AD-PowerShell’
xWEFCollector Enabled {
Ensure = “Present”
Name = “Enabled”
xWEFSubscription ADSecurity
SubscriptionID = “ADSecurity”
Ensure = “Present”
LogFile = ‘ForwardedEvents’
SubscriptionType = ‘CollectorInitiated’
Address = (Get-ADGroupMember ‘Domain Controllers’ | % {Get-ADComputer Identity $_.SID}).DNSHostName
DependsOn = “[xWEFCollector]Enabled”,“[WindowsFeature]RSATADPowerShell”
Query = @(‘Security:*’)
Collector OutputPath c:\DSC\
Start-DscConfiguration Wait Force Path c:\DSC\ Verbose
view rawCollector.ps1 hosted with ❤ by GitHub




If you do not see any logs being forwarded, it’s most likely because the Group Policy did not apply yet. Simply rebooting the Domain Controllers again will fix this issue. You can see the status of the Event Sources by right clicking the subscription and clicking Runtime Status. Once the Domain Controllers reboot don’t forget to right click and retry.


No Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Install Vmware PowerCLI

PowerCLI is really easy to install now. From an Administrative Powershell window just enter: Install-Module -Name VMware.PowerCLI Minimum Powershell Version must be v3.   Offline Install of PowerCLI Accessing the PowerCLI Modules We’re now ready to download the PowerCLI modules. This task will require a system with internet access. This …

Pass credentials with Powershell – 3 Ways

Interactive Here’s your typical scenario.   You have a script that requires credentials internally.  So to provide those credentials you would do something like $MyCredentials=GET-CREDENTIAL –credential “CONTOSO\Username” and you of course see a box like this normally on the screen Then you would type in the password and life would go …

MDT – Joining a Computer to a Domain Using PowerShell

Using PowerShell scripts within a task sequence provides more flexibility than using the CustomSettings.ini file to join a computer to a domain. The parameters of the CustomSettings.ini file are common to any deployment you perform. That’s why creating a custom PowerShell script to join your domain will be customize to …