Recipe 15.12 Enabling Auditing of Directory Access | Active Directory Cookbook, 3rd Edition

15.12.1 Problem

You want to enable auditing of directory access and modifications. Audit events are logged to the Security event log.

15.12.2 Solution

15.12.2.1 Using a graphical user interface

Open the Domain Controller Security Policy snap-in.
In the left pane, expand Local Policies and click on Audit Policy
In the right pane, double-click Audit directory service access.
Make sure the box is checked beside Define these policy settings.
Check the box beside Success and/or Failure.
Click OK.

15.12.2.2 Using a command-line interface

> auditpol \\<DomainControlerName> /enable /directory:all

15.12.3 Discussion

You can log events to the Security event log for every successful and/or failed attempt to access or modify the directory, which is referred to as auditing. Auditing is enabled via the Domain Controller Security GPO with the Audit directory service access setting. Once this is enabled, you need to use the ACL Editor to define auditing in the SACL of the objects and containers you want to monitor.

By default, the domain object has an inherited audit entry for the Everyone security principal for all object access and modifications. That means once you enable auditing in the Domain Controller Security Policy and it replicates out, domain controllers will log events for any directory access or modification to any part of the directory. As you can imagine, auditing every access to Active Directory can generate a lot of events, so you'll either want to disable the Everyone auditing and apply more specific auditing, or keep a close eye on your domain controllers to ensure they are not adversely affected while auditing is enabled.

Here is an example event that was logged after the Administrator account created a contact object called foobar in the Sales OU:

Event Type:        Success Audit Event Source:        Security Event Category:        Directory Service Access  Event ID:        566 Date:                5/26/2003 Time:                7:24:10 PM User:                RALLENCORP\administrator Computer:        DC1 Description: Object Operation:          Object Server:        DS          Operation Type:        Object Access          Object Type:        organizationalUnit          Object Name:        OU=Sales,DC=rallencorp,DC=com          Handle ID:        -          Primary User Name:        DC1$          Primary Domain:        RALLENCORP          Primary Logon ID:        (0x0,0x3E7)          Client User Name:        administrator          Client Domain:        RALLENCORP          Client Logon ID:        (0x0,0x3B4BE)          Accesses:        Create Child                                    Properties:         Create Child          contact          Additional Info:        CN=foobar,OU=Sales,DC=rallencorp,DC=com          Additional Info2:        CN=foobar,OU=Sales,DC=rallencorp,DC=com          Access Mask:        0x1

It can also be useful to enable Audit Account Management in the Domain Controller Security GPO. This provides additional information about account management operations, for example, finding what account deleted a certain object.

15.12.4 See Also

MS KB 232714 (HOW TO: How to Enable Auditing of Directory Service Access), MS KB 314955 (HOW TO: Audit Active Directory Objects in Windows 2000), MS KB 314977 (HOW TO: Enable Active Directory Access Auditing in Windows 2000), and MS KB 814595 (HOW TO: Audit Active Directory Objects in Windows Server 2003)