Beruflich Dokumente
Kultur Dokumente
from manager for security audits, if you dont already have them in place yourself to keep an eye on
things.
Auditing is exactly what it sounds like it keeps a record of things that have been modified in Active
Directory.
In previous versions of Windows Server there was not a lot of granular control in what you were
auditing. Lets explore some of the new auditing features in Server 2008.
This article will focus on enabling auditing on Directory Service Changes which will show us the
ability to audit changes to Active Directory Domain Services.
Global Audit Policy In Server 2008 the Global Audit Policy is not on by default and must be
enabled.
System Access Control List (SACL) Is the ultimate authority if an access check gets audited
or not.
The SACL is part of the security descriptor for an active directory object and specifies which
operations should be audited. These are set by the security administrators who have been
assigned Manage Auditing and Security Log privileges. It is assigned automatically to the
Administrators Group.
Schema To protect administrators from generating too many auditing events there is an
override that can be set in the schema to exclude any events that have an attribute set.
We will not be covering the Schema modification in this article, but this is important for you to
know.
2. Navigate down through your Forest, to the Domains, then Domain Controllers and left click on
Default Domain Controllers Policy.
You will get a warning that changes here will impact all other locations that the GPO is linked to. Click
Ok.
3. Right click on Default Domain Controllers Policy and then left click on Edit
5. Right click on Audit Directory Service Access, and then click Properties.
6. Select Define these policy settings and then select Success. Click on Apply and then Ok.
I told you it was much faster! You should see The command was successfully executed. Now lets
move on to the next step.
2. Click on View and make sure that Advanced Features is enabled. If not left click on it to place a
check next to it.
3. Right click on any of the Organizational Units you want to audit; in our example I am going to audit
Users. Then click on Properties.
7. Under Enter the object name to select:, type in Authenticated Users and click Ok.
8. In the next window under Apply onto:, select Descendant User Objects and under Access check
the box for Successful next to Write all properties and click Ok.
The next image shows the changed objects new value which in our case is Test Audit:
So you can see that it is very helpful if you are watching these types of things to know what the old
value was compared to the new value, in case you need to quickly and easily reset the attribute without
having to go to a backup.
There are a ton of things you can audit depending on the situation and your need.