You want to enable auditing of directory access and modifications. Audit events are logged to the Security event log.
Open the Domain Controller Security Policy snap-in.
In the left pane, expand Local Policies and click on Audit Policy
In the right pane, double-click Audit directory service access.
Make sure the box is checked beside Define these policy settings.
Check the box beside Success and/or Failure.
> auditpol \\<
DomainControlerName> /enable /directory:all
You can log events to the Security event log for every successful and/or failed attempt to access or modify the directory, which is referred to as auditing. Auditing is enabled via the Domain Controller Security GPO with the Audit directory service access setting. Once this is enabled, you need to use the ACL Editor to define auditing in the SACL of the objects and containers you want to monitor.
By default, the domain object has an inherited audit entry for the
Everyone security principal for all object access
and modifications. That means once you enable auditing in the Domain
Controller Security Policy and it replicates out, domain controllers
will log events for any directory access or modification to any part
of the directory. As you can imagine, auditing every access to Active
Directory can generate a lot of events, so you’ll
either want to disable the
Everyone auditing and apply ...