Wednesday, 6 August 2014

All objects in Active Directory (e.g., users, groups, OUs and group policy objects) are structured as per the AD’s schema of object classes and properties. Active Directory objects can be fairly complex due to the nature of its associated attributes. If even one attribute gets omitted or disturbed, then other network applications or systems could fail which rely on that particular attribute. Adding to that every time an object is changed, different events are recorded and therefore it is important to find all the events that are related to changes. 

Enabling audit on Active Directory objects is must. However, you got to note that audit settings vary slightly in various versions of Windows. Therefore, in case if you have a mixed environment, just be double sure to consult each version’s documentation for appropriate audit settings. 

Windows Server 2008 Auditing Change

Before Windows 2008 Server, auditing could just allow you to monitor that a value has changed. It would not tell you what the value was before the change was performed. In fact, auditing on Windows Server 2003 R2 doesn’t actually provide any decent information to make any use of the events which are recorded in the security event log. 

But, things are lot more different in Windows Server 2008. Windows Server 2008 facilitates administrator with the ability to record changes to AD objects. You could very well know about what the value of the object was, and what it is now. In fact, in Windows Server 2008 the auditing policy is configurable for four subcategories:
  • Directory Service Access
  • Directory Service Changes
  • Directory Service Replication
  • Detailed Directory Service Replication
Enabling Auditing changes to AD Objects

Now, one can very well enable auditing on single object, or OU level, or Domain level.
Following are the steps to enable Domain level auditing.

1. Press the key 'Window' + 'R'
2. Type the command dsa.msc, and click OK.
Note: Skip the above steps by clicking Start -->Administrative Tools -->Active Directory Users and Computers.
3. Click on View and make sure that Advanced Features is enabled. In case, it is not enabled then click on it to place a check next to it.
4. Right click on any of the Organizational Units you want to audit. In our example- let us consider that we are going to audit Users, and after this click on Properties section.
5. Click the Security tab.
 Note: If the Security tab is not available, just try to ensure that the option Advanced Features is checked under the View menu.
6. Click on Advanced.
7. Click the Auditing tab, then click Add.
8. Under Enter the object name to select:, type in Authenticated Users and click Ok.
In the next window under Apply onto:, select Descendant User Objects. Under Access, check the box next to Write all properties and click Ok.
9. Click Ok until you are out of any dialog boxes.

This way you can very well configure the change auditing for complete Active Directory domain. In fact, you could see the Security event logs for anything the changes happened in every AD objects. 

Nevertheless, you got to take care of one important point. Auditing can actually be very time consuming and too many audit entries could ultimately affect Your DC performance. It should always be compromise between actual requirement of detailed auditing information and performance of your DC. Moreover, as the audit data remains on the domain controllers, it may just not always be used as a reliable audit trail of administrator actions because administrators can erase or modify any file on the system. In addition, Windows Server 2008 does not provide any real reporting or analysis capabilities for the Windows security log. 

In order to safe-guard Active Directory, real-time monitoring is must as it could help you to identify the high impact, suspicious or prohibited changes, and ideal way to achieve this by taking help of third party Active Directory auditor such as LepideAuditor for Active Directory software. The tool allows you to perform real time monitoring and get access to reports to monitor the specific objects. 


Enabling audit on Active Directory objects is must. Windows Server 2008 provides some native functionality for auditing changes, but in spite of that significant gaps and limitations remain. To safe-guard Active Directory, real-time monitoring is must and best way to do it is by using third party Active Directory auditing tool.


Post a Comment