15.12. Enabling Auditing of Directory Access

Problem

You want to enable auditing of directory access and modifications. Audit events are logged to the Security event log.

Solution

Using a graphical user interface

  1. Open the Domain Controller Security Policy snap-in.

  2. In the left pane, expand Local Policies and click on Audit Policy

  3. In the right pane, double-click Audit directory service access.

  4. Make sure the box is checked beside Define these policy settings.

  5. Check the box beside Success and/or Failure.

  6. Click OK.

Using a command-line interface

> auditpol \\<DomainControlerName> /enable /directory:all

Discussion

You can log events to the Security event log for every successful and/or failed attempt to access or modify the directory, which is referred to as auditing. Auditing is enabled via the Domain Controller Security GPO with the Audit directory service access setting. Once this is enabled, you need to use the ACL Editor to define auditing in the SACL of the objects and containers you want to monitor.

By default, the domain object has an inherited audit entry for the Everyone security principal for all object access and modifications. That means once you enable auditing in the Domain Controller Security Policy and it replicates out, domain controllers will log events for any directory access or modification to any part of the directory. As you can imagine, auditing every access to Active Directory can generate a lot of events, so you’ll either want to disable the Everyone auditing and apply ...

Get Active Directory Cookbook now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial