If you have ATP (Advanced Threat Protection) enabled in your Azure subscriptions and you have the sensors installed on your domain controllers, if you do not setup Advanced Group Policy you will get this warning:
This means you need to setup the policy as per the recommendations, for more specially for your companies requirements so to do that, so lets get started....
This can all controlled with GPO, the current policy controlling this is called "Advanced Group Policy" and its only applied to the DC's so update these values and then you have a consistent amount that people cannot override to "save space" on the C: at the cost of your security logging.
Now for each option you have upsides and downsides of auditing everything, when it comes to DS access that is any operation that uses ADDS, this means if you audit success you will get lots of events for things that "successfully" occurred which is a lot of data, a whole load of data, but if its "malicious" it could probably be success not a failure.
However, if you only audit failure then you will only get alerts on actions that failed, so all the successful ones will not be audited, there is no best practice for this as its down to company requirements, however on the Azure DC's with their security audit as it is, if you turned on Success and Failure for all those action you would end up having a couple of hours of data from the security log.
Configuration Container Issue
You will then notice you get this error or misconfiguration warning:
- Open ADSI Edit. To do this, select Start, select Run, type ADSIEdit.msc, and then select OK.
- On the Action menu, select Connect to.
- In the Connection Settings dialog box under Select a well known Naming Context, select Configuration, and then select OK.
- Expand the Configuration container. Under the Configuration container, you'll see the Configuration node. It will begin with “CN=Configuration,DC=..."
- Right-click the Configuration node and select Properties, this will get you to here:
- Go to the Security tab, and select Advanced.
- In Advanced Security Settings, choose the Auditing tab. Select Add.
- Choose Select a principal.
- Under Enter the object name to select, type Everyone. Then select Check Names, and select OK.
- Select OK