Active Directory is big, complex, and difficult to figure out in some cases. For example, if you want to track all changes that occur in Active Directory and the objects contained within, it is not all that easy. Microsoft does not make a simple “click here” button to perform this action. Also, Microsoft does not enable auditing automatically for the changes that occur on your domain controllers to the Active Directory database.
I know that every administrator wants to track all changes that occur — with full verbose details regarding the change and person making the change. Again, this level of detail is hard to achieve and even harder to decrypt once you get the information logged. It is, however, possible to achieve this goal.
First, you need to understand that Active Directory resides on your domain controllers, and so you will need to track these computers in order to track the changes that occur in Active Directory. Second, you will need to enable “auditing” for these domain controllers. You can either do this manually (which is just silly) or use Group Policy. My suggestion is to create a new Group Policy Object and link it to the Domain Controllers organizational unit (OU). Yes, there is one there already named the Default Domain Controllers Policy, but I suggest you use a new one dedicated to these auditing configurations.
If you are using Windows Server 2008 R2 or later domain controllers, I highly suggest you use Advanced Auditing instead of the traditional auditing, as you will get more detailed results and can reduce the overall log sizes by only focusing on what you want to track. For more information on Advanced Auditing, refer to Microsoft TechNet's Advanced Security Auditing FAQ.
You should configure, for both success and failure, the following Advanced Audit settings in your new Group Policy Object:
- Account Management
- Audit Application Group Management
- Audit Other Account Management Events
- Audit Security Group Management
- Audit User Account Management
- DS Access
Audit Directory Service Access
- Audit Directory Service Changes
- Object Access
- Audit File System
- Audit Other Object Access Events
Now that we have our domain controllers “auditing” changes, we need to tell it what to track. This is done by configuring each of the “objects” that we will want to track.
In order to set up the auditing, you will need to alter the Auditing tab at the domain node of your Active Directory installation. Figure 1 illustrates what this looks like.
Figure 1. Auditing configuration for the domain node
You will need to configure auditing for the following types of objects at this node:
- Organizational units
- Group Policy Objects
You will also have to set up this type of auditing on the Schema and DNS. You can see the full-blown details on how to accomplish these settings and where to perform the settings by going to ManageEngine's Configuring SACL for AD Objects.
Now that you have your Active Directory changes being tracked, we will need to go look at the results and see what the limitations are. We will do that in our next installment!
Derek Melber is the technical evangelist for ManageEngine, a division of Zoho Corporation. As one of only a handful of Microsoft Group Policy MVPs, Derek helps Active Directory administrators, auditors and security professionals understand the finer points of how to manage, audit, recover and solve issues that occur in Active Directory and Group Policy. He educates IT professionals worldwide on Active Directory, Group Policy and Security and has authored over 15 books on Windows security and management. He’s famous for his video shorts in which he offers quick, practical solutions for Active Directory management.