You want to enable auditing of directory access and modifications. Audit events are logged to the Security event log.
126.96.36.199 Using a graphical user interface
188.8.131.52 Using a command-line interface
> auditpol \\<DomainControlerName> /enable /directory:all
You can log events to the Security event log for every successful and/or failed attempt to access or modify the directory, which is referred to as auditing. Auditing is enabled via the Domain Controller Security GPO with the Audit directory service access setting. Once this is enabled, you need to use the ACL Editor to define auditing in the SACL of the objects and containers you want to monitor.
By default, the domain object has an inherited audit entry for the Everyone security principal for all object access and modifications. That means once you enable auditing in the Domain Controller Security Policy and it replicates out, domain controllers will log events for any directory access or modification to any part of the directory. As you can imagine, auditing every access to Active Directory can generate a lot of events, so you'll either want to disable the Everyone auditing and apply more specific auditing, or keep a close eye on your domain controllers to ensure they are not adversely affected while auditing is enabled.
Here is an example event that was logged after the Administrator account created a contact object called foobar in the Sales OU:
Event Type: Success Audit Event Source: Security Event Category: Directory Service Access Event ID: 566 Date: 5/26/2003 Time: 7:24:10 PM User: RALLENCORP\administrator Computer: DC1 Description: Object Operation: Object Server: DS Operation Type: Object Access Object Type: organizationalUnit Object Name: OU=Sales,DC=rallencorp,DC=com Handle ID: - Primary User Name: DC1$ Primary Domain: RALLENCORP Primary Logon ID: (0x0,0x3E7) Client User Name: administrator Client Domain: RALLENCORP Client Logon ID: (0x0,0x3B4BE) Accesses: Create Child Properties: Create Child contact Additional Info: CN=foobar,OU=Sales,DC=rallencorp,DC=com Additional Info2: CN=foobar,OU=Sales,DC=rallencorp,DC=com Access Mask: 0x1
15.12.4 See Also
MS KB 232714 (HOW TO: How to Enable Auditing of Directory Service Access), MS KB 314955 (HOW TO: Audit Active Directory Objects in Windows 2000), MS KB 314977 (HOW TO: Enable Active Directory Access Auditing in Windows 2000), and MS KB 814595 (HOW TO: Audit Active Directory Objects in Windows Server 2003)