In Windows Server 2008, you are now able to establish AD DS audits by using new subclasses of audit policies (directory service changes) to record new and old attribute values when Active Directory objects and their attributes change.
Changes to audit policies can also be applied to Active Directory Lightweight Directory Services (AD LDS)
What can AD DS audits do?
Global Audit Policy Audits access control to directory services, regardless of whether auditing for directory service events is enabled or disabled. This security setting determines that events will be logged to the security log when certain operations are applied to the directory object. You can control what operations are audited by modifying the System Access Control List (SACL) on an object. This policy is enabled by default in Windows Server 2008.
You can define this policy setting (by modifying the default domain controller security policy), you can specify the event of successful audit, failed events, or nothing. You can set the system access control list in the Security tab of the AD DS object's Properties dialog box. The same is true for auditing of directory services. But only works with AD DS objects instead of file objects or registry objects.
What happened to the existing features?
Windows Server 2008 adds a record of the AD DS audit policy to the old and new values of a property when a successful attribute change time occurs. Previous AD DS audit policies only recorded attribute names that changed, not previous and current attribute values.
Auditing AD DS Access
In Windows 2000 Server and Windows Server 2003, there is only one audit policy (Directory Service Access Audit) that is used to control whether audit directory service events are enabled or disabled. In Windows Server 2008, this policy is divided into four subclasses:
Directory Service Access
Directory Service Changes
Directory Services Directory Service Replication
Detailed Directory Service Replication
Just because of the new audit subclass (directory service change), changes in AD DS object properties can be Review. The types of changes you can review are created, modified, moved, and undelete. These events will be logged in the security log.
The new audit policy subclass (Directory Service Change) in AD DS adds the following functionality:
When the attribute modification to the object is successful, AD DS records the previous attribute. The value and the current attribute value. If the attribute contains more than one value, only the value that changed as a result of the modification operation will be logged.
If a new object is created, the time assigned to the attribute will be recorded and the attribute value will be recorded. In most scenarios, AD DS assigns default attributes to system attributes such as sAMAccountName. System property values will not be logged.
If an object is moved to the same domain, the previous and new locations (in the form of distinguished name [such as cn=anna, ou=test, dc=contoso, dc=com]) will recorded. When an object is moved to a different domain, a create event will be generated on the domain controller of the target domain.
If an object is undelete, the location to which the object was moved will be logged. In addition, if the attributes are added, modified or deleted in the de-delete operation, the values of these attributes are also recorded.
Note: If an object is deleted, no audit events will be generated. However, if the Directory Service Access audit subclass is enabled, an audit event will be created.
When Directory Service Changes is enabled, AD DS logs events in the security log when the object's morphological changes meet the administrator's specified audit criteria. The table below describes these events.
Event Number Event Type
Event Description
5136 Modify this event resulting from a successful modified directory object attribute
5137 Create this event from the new Directory object is created
5138 Undelete This event is generated when the directory object is undelete
5139 Moving this event occurs when the object moves within the same domain
Establishing an audit policy Steps
This section will cover the following two steps:
Step 1: Enable Audit Policy
Step 2: Use Active Directory Users and Computers to Explain How to Pass Objects SACL to enable object auditing.
Step 1: Enable Audit Policy
This step involves using the graphical interface and the command line to enable auditing.
By default, Group Policy Management is not installed. You can install it through Add Features in Server Management. You can enable stand-alone subprojects by using the command line tool Auditpol.
Enabling Global Audit Policy via Graphical Interface
1. Click the Start button, point to Administrative Tools, and then point to Group Policy Management.
2. In the console tree, double-click the forest name, double-click the domain, double-click your domain name, double-click the domain controller, right-click the default domain controller policy and click Edit.
3. Under Computer Configuration, double-click Windows Settings, double-click Security Settings, double-click Local Policies, and then double-click Audit Policy.
4. In the Audit Policy, right-click Audit Directory Service Access. Then click on Properties
5. Select the check boxes that define these policies
6. Select the Success check box and click OK
Enable auditing with the command line tool Auditpol Policy
1. Click the Start button, right-click Command Prompt, and then click Run as administrator
2. Enter the following command and press Enter
auditpol /Set /subcategory:"directory service changes" /success:enable
Step 2: Create an audit policy in the object SACL list
1. Click the Start button, point to Administrative Tools, and then click Active Directory Users. With the computer
2. Right click on the auditing organizational unit (OU) or other object you want to enable, then the unit price attribute
3. Unit price security tab, click Advanced, then click the Audit tab
4 Click Add to select the pair in the input object name Box, type Authenticated Users (or other security principal), and then click OK.
5. Select the Descendant User objects or other objects in the Apply to drop-down box.
6. Check the "Write all attributes" check box in "Access"
7 Click OK until the object's property page is completely closed.
During the use of Windows 2000, we will encounter AD due to accidental damage, then what method do w
Microsoft introduced the latest service pack 4 of Windows 2000 (hereinafter referred to as SP4) in J
In Server 2003, managing mobile devices can be cumbersome. As follows: Use Group Policy to complete
Windows Server 2003 is Microsofts latest operating system, but one thing that makes users more embar
Windows Server 2008 only 64-bit version supports virtualization
Hold your position - the power of Win 2000 built-in security commands
Solution for error or loss of DLL file in Win2000
Win 2K: Let 2000 be compatible too
How to safely release memory sticks in Windows 2003
Windows 2000 is also compatible with the program
Windows 2008 manageability Powershell
Windows 2000 Registry Backup and Recovery
Easily build inter-forest trusts with Win 2003
Active Directory Concept and Disaster Recovery
After double-clicking the shortcut, the system is no longer
Some commands for windows7 system running
How to install ug10.0 in Win10? Ug10.0 installation method
Win7 Professional System Start menu options Gray could not sleep how to do
Application of mkdir command in Linux
After Win7 is activated, the genuine verification will appear black screen. How to solve it?
Win10 technology preview can not run Tencent games how to do?
Win8.1 correctly uses the method of defragmenting the disk function