Active Directory Auditing

Active Directory Auditing

If we talk about auditing in context of Active Directory, then it generally involves keeping a close track of user account status, group memberships and user privileges. Apart from that active directory auditing also revolves around keeping a close watch on account activity, folder accesses and file permissions. Windows Server 2008 offers domain services auditing features for Active Directory in order to track down every single change that is made within the objects and object attributes. In addition, this particular AD DS feature of Windows Server 2008 shows audit logs featuring almost all the details about the changes made to object attributes, the new and old attribute value including mentioning about the person who made such changes.

In windows server 2008 based Active Directory, the Audit Directory Service access policy is displayed into four subcategories, which are as follows:

1. Directory Service Access
2. Directory Service Changes
3. Directory Service Replication

Out of these four subcategories, the Directory Service Changes subcategory offers the capacity to audit the changes for AD objects. Any alteration made like creating, modifying, moving or un-deleting a user objects can be audited with the AD DS auditing feature. Besides this, some of the other most important capabilities of the audit policy provided in AD DS are mentioned below:

• After modification of object attribute, the AD DS logs the old and new attribute value. However, just in case if the attribute has several values, the value which changes because of the modification operation gets logged.
• After the creation of a new object, all the attribute values populated at some point in creation are logged into.
• When an object is moved, the older and new location present in the domain is logged. In fact, when the object is moved to an all together diverse domain, a create event is generated on target domain’s DC.
• Upon object un-deletion, the fresh place where the object is transferred to is logged. But when the object attributes are changed during the un-deletion process, their latest values too get logged in.

Steps to Configure Auditing for Specific Active Directory Objects

Once the audit policy setting gets configured, it gets lot easier to configure audit policy for particular objects such as users, groups, OUs and computers. This configuring of audit policy can be achieved by specifying both the users whose access is to be audited along with the type of access to be audited. Here are the steps that need to be followed for configuring active directory auditing of specific AD objects:

1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
2. Make sure that Advanced Features is selected on the View menu by making sure that the command has a check mark next to it.
3. Right-click the Active Directory object that you want to audit, and then click Properties.
4. Click the Security tab, and then click Advanced.
5. Click the Auditing tab, and then click Add.
6. Complete one of the following:
   • Type the name of either the user or the group whose access you want to audit in the Enter the object name to select box, and then click OK.
   • In the list of names, double-click either the user or the group whose access you want to audit.
7. Click to select either the Successful check box or the Failed check box for the actions that you want to audit, and then click OK.
8. OK.