Active Directory auditing, i.e. the logging of directory service accesses, is already possible with Window Server 2000/2003. Windows Server 2008 extends the auditing capabilities of Windows Server 2003 in several interesting ways. You can use this feature, if you have to track down errors or security issues.
- Poll: How reliable are ChatGPT and Bing Chat? - Tue, May 23 2023
- Pip install Boto3 - Thu, Mar 24 2022
- Install Boto3 (AWS SDK for Python) in Visual Studio Code (VS Code) on Windows - Wed, Feb 23 2022
The most interesting extension is that you can now log the current and the previous value of a changed attribute and not just that it has been changed. The latter can be quite useful, if unwanted changes have to be canceled.
Win2k/Win2k3 has only one audit policy (Audit Directory Service Access); now there are four different policies available: Directory Service Access, Directory Service Changes, Directory Service Replication, and Detailed Directory Service Replication. The second one introduces the feature mentioned above.
If you enable it, then the security log will also store the values of modified attributes. If you create a new object, then all attributes of this object are logged. If an object is moved, the new and the old location will appear in the security log and if an object is undeleted, its new location is logged, too.
It is a bit strange in my view that you can't enable, disable or view the new policies with the Group Policy Editor. You've to do this on the command prompt! Were Microsoft's programmers too lazy to add these new policies to GPedit.msc?
However, if you enable the Audit Directory Service Access global audit policy with GPedit.msc all new policies are enabled too, by default. You can find the global audit policy under Windows Settings\Security Settings\Local Policies\Audit Policy\ in GPedit.msc.
If you want to disable the new Directory Service Changes policy you can do it with this command: auditpol /set /subcategory:"directory service changes" /success:disable. To view the current setting you have to type: auditpol /get /subcategory:"directory service changes". There might be certain circumstances where it makes sense to disable this feature, for example, when you modify many Active Directory objects with a script.
Like in former Windows versions, you still can control which objects are audited by modifying its SACL (System Access Control List). For instance, if you want to disable auditing for all objects in a certain container, you have to right click on it in the Active Directory Users and Computers snap-in, navigate to Properties\Security\Advanced\Auditing and remove the entries there. Make sure that "Advanced Features" under "View" is enabled in the snap-in. Otherwise, you won't see the Security tab.
It is also possible to only disable auditing of certain attributes by editing the Schema with the ADSI Edit snap-in. After you added the snap-in to the MMC, right click on ADSI Edit and select "Connect to". Then choose "Schema" as naming context. Now select one of the attributes, e.g. Given-Name, and change searchFlags to 256. This sets bit 9 of the searchFlags property which will disable auditing of the Given-Name attribute of all user objects in the domain. Note that it usually takes some minutes until schema changes are active. I recommend trying schema changes first in a testing environment.
Subscribe to 4sysops newsletter!
All audits are logged in the security log which you can access with the new Event Viewer. You'll find the security log under Windows Logs. The new Event IDs for attribute changes are 5136 (modify), 5137 (create), 5138 (undelete) and 5139 (move). The Event ID 566 for a mere directory service access, which you might know from Windows Server 2003, has been changed to 4662 in Windows Server 2008.
It looks interesting but I’m not sure that even 2008 server tools can perform auditing more flexible then special solutions oriented to auditing. The same event log where you need to browse for necessary event id – that’s not so easy. If we are talking about active directory auditing I would definitely look to a tool called active administrator from scriptlogic. This tool stores all information in SQL database and has an easy ability of monitoring and finding necesary events and even the feature of sending e-mail notifications about the most important events.
Hi,
Nice article, but one question.
Both “audit log on policy” and “audit accout management” policy follows the same steps to initiate, i.e.
Active D users & computers > OU (Server) > GPO > * Define Account management * Define Account log on
I know the questions may sound odd, but please help.
Thanks !!
Dhr
Ed, do you know how the active administrator tool compares to netwrix ad change reporter? We’ve been using the netwrix tool for a while and it works very well, wondering how the scriptlogic tool is different. Specifically, how does It match up as far as audit capabilities, because that is netwrix’s strength.