Active Directory auditing, i.e. the logging of directory service accesses, is already possible with Window Server 2000/2003. Windows Server 2008 extends the auditing capabilities of Windows Server 2003 in several interesting ways. You can use this feature, if you have to track down errors or security issues.
Latest posts by Michael Pietroforte (see all)
- Results of the 4sysops member and author competition in 2018 - Tue, Jan 8 2019
- Why Microsoft is using Windows customers as guinea pigs - Reply to Tim Warner - Tue, Dec 18 2018
- PowerShell remoting with SSH public key authentication - Thu, May 3 2018
The most interesting extension is that you can now log the current and the previous value of a changed attribute and not just that it has been changed. The latter can be quite useful, if unwanted changes have to be canceled.
Win2k/Win2k3 has only one audit policy (Audit Directory Service Access); now there are four different policies available: Directory Service Access, Directory Service Changes, Directory Service Replication, and Detailed Directory Service Replication. The second one introduces the feature mentioned above.
If you enable it, then the security log will also store the values of modified attributes. If you create a new object, then all attributes of this object are logged. If an object is moved, the new and the old location will appear in the security log and if an object is undeleted, its new location is logged, too.
It is a bit strange in my view that you can't enable, disable or view the new policies with the Group Policy Editor. You've to do this on the command prompt! Were Microsoft's programmers too lazy to add these new policies to GPedit.msc?
However, if you enable the Audit Directory Service Access global audit policy with GPedit.msc all new policies are enabled too, by default. You can find the global audit policy under Windows Settings\Security Settings\Local Policies\Audit Policy\ in GPedit.msc.
If you want to disable the new Directory Service Changes policy you can do it with this command: auditpol /set /subcategory:"directory service changes" /success:disable. To view the current setting you have to type: auditpol /get /subcategory:"directory service changes". There might be certain circumstances where it makes sense to disable this feature, for example, when you modify many Active Directory objects with a script.
Like in former Windows versions, you still can control which objects are audited by modifying its SACL (System Access Control List). For instance, if you want to disable auditing for all objects in a certain container, you have to right click on it in the Active Directory Users and Computers snap-in, navigate to Properties\Security\Advanced\Auditing and remove the entries there. Make sure that "Advanced Features" under "View" is enabled in the snap-in. Otherwise, you won't see the Security tab.
It is also possible to only disable auditing of certain attributes by editing the Schema with the ADSI Edit snap-in. After you added the snap-in to the MMC, right click on ADSI Edit and select "Connect to". Then choose "Schema" as naming context. Now select one of the attributes, e.g. Given-Name, and change searchFlags to 256. This sets bit 9 of the searchFlags property which will disable auditing of the Given-Name attribute of all user objects in the domain. Note that it usually takes some minutes until schema changes are active. I recommend trying schema changes first in a testing environment.
All audits are logged in the security log which you can access with the new Event Viewer. You'll find the security log under Windows Logs. The new Event IDs for attribute changes are 5136 (modify), 5137 (create), 5138 (undelete) and 5139 (move). The Event ID 566 for a mere directory service access, which you might know from Windows Server 2003, has been changed to 4662 in Windows Server 2008.