Recipe 15.12 Enabling Auditing of Directory Access

15.12.1 Problem

You want to enable auditing of directory access and modifications. Audit events are logged to the Security event log.

15.12.2 Solution Using a graphical user interface
  1. Open the Domain Controller Security Policy snap-in.

  2. In the left pane, expand Local Policies and click on Audit Policy

  3. In the right pane, double-click Audit directory service access.

  4. Make sure the box is checked beside Define these policy settings.

  5. Check the box beside Success and/or Failure.

  6. Click OK. Using a command-line interface
> auditpol \\<DomainControlerName> /enable /directory:all

15.12.3 Discussion

You can log events to the Security event log for every successful and/or failed attempt to access or modify the directory, which is referred to as auditing. Auditing is enabled via the Domain Controller Security GPO with the Audit directory service access setting. Once this is enabled, you need to use the ACL Editor to define auditing in the SACL of the objects and containers you want to monitor.

By default, the domain object has an inherited audit entry for the Everyone security principal for all object access and modifications. That means once you enable auditing in the Domain Controller Security Policy and it replicates out, domain controllers will log events for any directory access or modification to any part of the directory. As you can imagine, auditing every access to Active Directory can generate a lot of events, so you'll either want to disable the Everyone auditing and apply more specific auditing, or keep a close eye on your domain controllers to ensure they are not adversely affected while auditing is enabled.

Here is an example event that was logged after the Administrator account created a contact object called foobar in the Sales OU:

Event Type:        Success Audit
Event Source:        Security
Event Category:        Directory Service Access 
Event ID:        566
Date:                5/26/2003
Time:                7:24:10 PM
User:                RALLENCORP\administrator
Computer:        DC1
Object Operation:
         Object Server:        DS
         Operation Type:        Object Access
         Object Type:        organizationalUnit
         Object Name:        OU=Sales,DC=rallencorp,DC=com
         Handle ID:        -
         Primary User Name:        DC1$
         Primary Domain:        RALLENCORP
         Primary Logon ID:        (0x0,0x3E7)
         Client User Name:        administrator
         Client Domain:        RALLENCORP
         Client Logon ID:        (0x0,0x3B4BE)
         Accesses:        Create Child 
        Create Child 

         Additional Info:        CN=foobar,OU=Sales,DC=rallencorp,DC=com
         Additional Info2:        CN=foobar,OU=Sales,DC=rallencorp,DC=com
         Access Mask:        0x1

It can also be useful to enable Audit Account Management in the Domain Controller Security GPO. This provides additional information about account management operations, for example, finding what account deleted a certain object.

15.12.4 See Also

MS KB 232714 (HOW TO: How to Enable Auditing of Directory Service Access), MS KB 314955 (HOW TO: Audit Active Directory Objects in Windows 2000), MS KB 314977 (HOW TO: Enable Active Directory Access Auditing in Windows 2000), and MS KB 814595 (HOW TO: Audit Active Directory Objects in Windows Server 2003)

    Chapter 3. Domain Controllers, Global Catalogs, and FSMOs
    Chapter 6. Users
    Appendix A. Tool List