Beruflich Dokumente
Kultur Dokumente
More than any other system active directory in an organization important in security perspecti ve.
Even a small change in Organization’s AD can cause a major business impact. Preventing any
unauthorized access, unplanned change in AD environment should prevent in first place but if similar
thing happened in your AD environment you should have enough information to answer questions
such as what has changed?, when it happened and who did it ?
As you know the computer security threats are changing every day, sometime the default event logs
may not help to answer above questions. Microsoft understand these modern requirements and with
windows 2008 R2 they introduce “Advanced Security Audit Policy”. This give you 53 options to
tune up the auditing requirement and you can collect more in granular level information about your
infrastructure events. It is have 10 categories and in this demo I am going to talk about the “DS
Access” category which is focused on Active Directory Access and Object Modifications.
Advanced Security Audit Policy is need to enable via GPO. These events happens records on
Domain controllers. There for the policy should only target the Domain Controllers. This can enabled
on “Default Domain Controllers Policy” in AD.
Sub categories for both success and failure events. To do that double click on each subcategory and
enable audit events.
After GPO apply now I can see the new events under logs. For testing I added new GPO under IT OU
and in logs I can see the detail info about the activity.
If any question about the post feel free to ask me on rebeladm@live.com