September 2003
Intermediate to advanced
624 pages
15h 49m
English
Content preview from Active Directory CookbookBecome an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
Start your free trial
15.12. Enabling Auditing of Directory Access
Problem
You want to enable auditing of directory access and modifications. Audit events are logged to the Security event log.
Solution
Using a graphical user interface
Open the Domain Controller Security Policy snap-in.
In the left pane, expand Local Policies and click on Audit Policy
In the right pane, double-click Audit directory service access.
Make sure the box is checked beside Define these policy settings.
Check the box beside Success and/or Failure.
Click OK.
Using a command-line interface
> auditpol \\<DomainControlerName> /enable /directory:allDiscussion
You can log events to the Security event log for every successful and/or failed attempt to access or modify the directory, which is referred to as auditing. Auditing is enabled via the Domain Controller Security GPO with the Audit directory service access setting. Once this is enabled, you need to use the ACL Editor to define auditing in the SACL of the objects and containers you want to monitor.
By default, the domain object has an inherited audit entry for the
Everyone security principal for all object access
and modifications. That means once you enable auditing in the Domain
Controller Security Policy and it replicates out, domain controllers
will log events for any directory access or modification to any part
of the directory. As you can imagine, auditing every access to Active
Directory can generate a lot of events, so you’ll
either want to disable the
Everyone auditing and apply ...