The subject behavior occurs because you must set the Delete auditing entry when you set the Delete All Child Objects auditing entry.
NOTE: With the only the Delete All Child Objects auditing entry, the event log only records that an object has been deleted from a container.
When you set the Delete auditing entry and the Delete All Child Objects auditing entry, the event log records which object has been deleted and the container it was deleted from.
NOTE: See HOW TO: Audit Active Directory objects in Windows Server 2003.
0 comments
Hide comments