Auditing Directory service access

Discussion in 'Active Directory' started by skip, Feb 12, 2009.

  1. skip

    skip Guest

    Hello

    On my windows 2008 DC i need to audit directory service access, and i also
    need to enable the subcategory directory service changes.

    I turned on the global audit "directory service access" policy using GPMC
    for the default domain controllers GPO. I then ran auditpol /set
    /subcategory:"directory service changes" /success:enable

    I also opened ADUC selected the domain admins group selected
    security--advanced and then the auditing tab. I then added in
    "authenticated users" chekced the box success for "write all properties"
    then selected for apply to "descendent user objects. I then ran gpupdate
    /force to update the settings. Now when i remove or add a user to the domain
    admins group, i get no events in the security event log on the DC. What am i
    missing with this? Do i need to enable "Force audit policy subcategory
    settings to override audit policy category settings" on the default DC GPO?

    Many thanks for any clarification
     
    skip, Feb 12, 2009
    #1
    1. Advertisements

  2. skip

    Marcin Guest

    Skip,

    have you enabled "Directory Service Changes" subcategory on all of your
    domain controllers (in particular, the one that actually was responsible for
    the change)?
    Have you checked the event log on that domain controller?

    You can obtain current auditing settings in place (in the Directory Services
    Access category) by running auditpol /get /category:"DS Access" - this
    should indicate whether "Force audit policy subcategory settings to override
    audit policy category settings" is relevant in this case...

    hth
    Marcin
     
    Marcin, Feb 12, 2009
    #2
    1. Advertisements

  3. skip

    skip Guest

    I have one DC that is still running windows 2003 so i cant run auditpol on
    it to set the subcategory. I'm a little confused, when i ran auditpol /set
    /category:"account management" after this i was able to audit adding or
    removing members of the domain admins group. So i dont understand why i
    would need to setup and enable DS Access auditing to capture modifications
    of the domain admins group?

    thanks
     
    skip, Feb 12, 2009
    #3
  4. skip

    Marcin Guest

    You don't. Group membership change falls in the account management
    category - so in this particular case, you can rely on GPO settings.
    However, in order to be able to reliably track changes on per subcategory
    level, all of your domain controllers need to run Windows Server 2008...

    hth
    Marcin
     
    Marcin, Feb 12, 2009
    #4
  5. Jorge de Almeida Pinto [MVP - DS], Feb 12, 2009
    #5
  6. Jorge de Almeida Pinto [MVP - DS], Feb 12, 2009
    #6
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.