15.12. Enabling Auditing of Directory Access
Problem
You want to enable auditing of directory access and modifications. Audit events are logged to the Security event log.
Solution
Using a graphical user interface
Open the Domain Controller Security Policy snap-in.
In the left pane, expand Local Policies and click on Audit Policy
In the right pane, double-click Audit directory service access.
Make sure the box is checked beside Define these policy settings.
Check the box beside Success and/or Failure.
Click OK.
Using a command-line interface
> auditpol \\<DomainControlerName
> /enable /directory:all
Discussion
You can log events to the Security event log for every successful and/or failed attempt to access or modify the directory, which is referred to as auditing. Auditing is enabled via the Domain Controller Security GPO with the Audit directory service access setting. Once this is enabled, you need to use the ACL Editor to define auditing in the SACL of the objects and containers you want to monitor.
By default, the domain object has an inherited audit entry for the
Everyone
security principal for all object access
and modifications. That means once you enable auditing in the Domain
Controller Security Policy and it replicates out, domain controllers
will log events for any directory access or modification to any part
of the directory. As you can imagine, auditing every access to Active
Directory can generate a lot of events, so you’ll
either want to disable the
Everyone
auditing and apply ...
Get Active Directory Cookbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.