Auditing Directory Services

AD Scenario – Auditing Directory Services

Your network consists of a single Active Directory domain. All domain controllers run Windows Server 2008 R2. The Audit account management policy setting and Audit directory services access setting are enabled for the entire domain.

You need to ensure that changes made to Active Directory objects can be logged. The logged changes must include the old and new values of any attributes.

What should you do?

A. Run auditpol.exe and then configure the Security settings of the Domain Controllers OU.

B. From the Default Domain Controllers policy, enable the Audit directory service access setting and enable directory service changes.

C. Enable the Audit account management policy in the Default Domain Controller Policy.

D. Run auditpol.exe and then enable the Audit directory service access setting in the Default Domain policy.

Correct Answer: A


Auditing of Directory Services depends on several controls, these are:

  1. Global Audit Policy (at category level using gpmc.msc tool)
  2. Individual Audit Policy (at subcategory level using auditpol.exe tool)
  3. System ACLs – to specify which operations are to be audited for a security principal.
  4. Schema (optional) – this is an additional control in the schema that you can use to create exceptions to what is audited.

In Windows Server 2008, you can now set up AD DS (Active Directory Domain Services) auditing with a new audit policy subcategory (Directory Service Changes) to log old and new values when changes are made to AD DS objects and their attributes. This can be done using auditpol.exe tool.

  1. Command to check which audit policies are active on your machine:

    auditpol /get /category:*

  1. Command to view the audit policy categories and Subcategories:

  2. How to enable the global audit policy using the Windows interface i.e. gpmc tool
  • Click Start, point to Administrative Tools, and then Group Policy Management or run gpmc.msc command
  • In the console tree, double-click the name of the forest, double-click Domains, double-click the name of your domain, double-click Domain Controllers, right-click Default Domain Controllers Policy, and then click Edit.

  • Under Computer Configuration, double-click Policies, double-click Windows Settings, double-clickSecurity Settings, double-click Local Policies, and then click Audit Policy.

  • In the details pane, right-click Audit directory service access, and then click Properties.
  • Select the Define these policy settings check box.
  • Under Audit these attempts, select the Success, check box, and then click OK.

  1. How to enable the change auditing policy using a command line

    Click Start, right-click Command Prompt, and then click Run as administrator.

    Type the following command, and then press ENTER:

    auditpol /set /subcategory:”directory service changes” /success:enable

    To verify if the auditing is enabled or not for “Directory Service Changes”, you can run below command:

    Auditpol /get /category:”DS Access”

  2. How to set up auditing in object SACLs
  • Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
  • Right-click the organizational unit (OU) (or any object) for which you want to enable auditing, and then click Properties.
  • Click the Security tab, click Advanced, and then click the Auditing tab.

  • Click Add, and under Enter the object name to select, type Authenticated Users (or any other security principal), and then click OK.

  • In Apply onto, click Descendant User objects (or any other objects).
  • Under Access, select the Successful check box for Write all properties.

  • Click OK until you exit the property sheet for the OU or other object.
  1. To Test whether auditing is working or not, try creating or modifying objects in Finance OU and check the Security event logs.

    I just created a new user account in Finance OU named f4.

    If you check the security event logs you will find eventid 5137 (Create)

    Once the auditing is enabled these eventids will appear in security event logs: 5136 (Modify), 5137 (Create), 5138 (Undelete), 5139 (Move).

To know more about AD DS Auditing read technet article:
AD DS Auditing Step-by-Step Guide


One thought on “Auditing Directory Services

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s