Active Directory auditing, i.e. the logging of directory service accesses, is already possible with Window Server 2000/2003. Windows Server 2008 extends the auditing capabilities of Windows Server 2003 in several interesting ways. You can use this feature, if you have to track down errors or security issues.

Michael Pietroforte

Michael Pietroforte is the founder and editor in chief of 4sysops. He has more than 35 years of experience in IT management and system administration.

The most interesting extension is that you can now log the current and the previous value of a changed attribute and not just that it has been changed. The latter can be quite useful, if unwanted changes have to be canceled.

Win2k/Win2k3 has only one audit policy (Audit Directory Service Access); now there are four different policies available: Directory Service Access, Directory Service Changes, Directory Service Replication, and Detailed Directory Service Replication. The second one introduces the feature mentioned above.

If you enable it, then the security log will also store the values of modified attributes. If you create a new object, then all attributes of this object are logged. If an object is moved, the new and the old location will appear in the security log and if an object is undeleted, its new location is logged, too.

It is a bit strange in my view that you can't enable, disable or view the new policies with the Group Policy Editor. You've to do this on the command prompt! Were Microsoft's programmers too lazy to add these new policies to GPedit.msc?

However, if you enable the Audit Directory Service Access global audit policy with GPedit.msc all new policies are enabled too, by default. You can find the global audit policy under Windows Settings\Security Settings\Local Policies\Audit Policy\ in GPedit.msc.

If you want to disable the new Directory Service Changes policy you can do it with this command: auditpol /set /subcategory:"directory service changes" /success:disable. To view the current setting you have to type: auditpol /get /subcategory:"directory service changes". There might be certain circumstances where it makes sense to disable this feature, for example, when you modify many Active Directory objects with a script.

AD AuditingLike in former Windows versions, you still can control which objects are audited by modifying its SACL (System Access Control List). For instance, if you want to disable auditing for all objects in a certain container, you have to right click on it in the Active Directory Users and Computers snap-in, navigate to Properties\Security\Advanced\Auditing and remove the entries there. Make sure that "Advanced Features" under "View" is enabled in the snap-in. Otherwise, you won't see the Security tab.

SearchFlagsIt is also possible to only disable auditing of certain attributes by editing the Schema with the ADSI Edit snap-in. After you added the snap-in to the MMC, right click on ADSI Edit and select "Connect to". Then choose "Schema" as naming context. Now select one of the attributes, e.g. Given-Name, and change searchFlags to 256. This sets bit 9 of the searchFlags property which will disable auditing of the Given-Name attribute of all user objects in the domain. Note that it usually takes some minutes until schema changes are active. I recommend trying schema changes first in a testing environment.

All audits are logged in the security log which you can access with the new Event Viewer. You'll find the security log under Windows Logs. The new Event IDs for attribute changes are 5136 (modify), 5137 (create), 5138 (undelete) and 5139 (move). The Event ID 566 for a mere directory service access, which you might know from Windows Server 2003, has been changed to 4662 in Windows Server 2008.

Are you an IT pro? Apply for membership!

0
Share
3 Comments
  1. Ed Jay 12 years ago

    It looks interesting but I'm not sure that even 2008 server tools can perform auditing more flexible then special solutions oriented to auditing. The same event log where you need to browse for necessary event id - that’s not so easy. If we are talking about active directory auditing I would definitely look to a tool called active administrator from scriptlogic. This tool stores all information in SQL database and has an easy ability of monitoring and finding necesary events and even the feature of sending e-mail notifications about the most important events.

    0

  2. Dhruv 10 years ago

    Hi,

    Nice article, but one question.

    Both "audit log on policy" and "audit accout management" policy follows the same steps to initiate, i.e.

    Active D users & computers > OU (Server) > GPO > * Define Account management * Define Account log on

    I know the questions may sound odd, but please help.

    Thanks !!

    Dhr

    0

  3. Roy 8 years ago

    Ed, do you know how the active administrator tool compares to netwrix ad change reporter? We’ve been using the netwrix tool for a while and it works very well, wondering how the scriptlogic tool is different. Specifically, how does It match up as far as audit capabilities, because that is netwrix’s strength.

    0

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2019

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account