When you audit authorized and unauthorized access to the Active Directory, the Directory Service Event log on a domain controller records the events.
To enable auditing:
1. Administrative Tools / Active Directory Users and Computers.
2. Highlight the domain name and enable Advances Features on the View menu.
3. Right-click the Domain Controllers container and press Properties.
4. Select the Group Policy tab.
5. Select the Default Domain Controller Policy and press the Edit button.
6. Navigate to Computer Configuration / Windows Settings / Security Settings / Local Policies / Audit Policy.
7. Double-click Audit directory service access.
8. Check the Success and Failure boxes.
9. Press OK and OK, closing the snap-in.
NOTE: The default timing for application of this policy is 5 minutes. See Windows 2000 Group Policy refresh. Don't forget replication timing to the other domain controllers.