Windoows 2008 Active Directory Domain Services: auditing

In Windows Server 2008, administrators have more choices to audit Active Directory objects. New Audit policy subcategory scope (directory service change) audits changes to Active Directory objects, such as creating, correcting, moving, and resuming deletes, and logging old and new property values after the changes have been completed.

Note: Audit directory service access also applies to Audit object access (Audit object access), but Audit directory service access can only be used for AD DS objects, not for file system objects, nor for registered objects.

Audit AD DS Path

There is no audit policy in Windows SQL Server and Windows Server 2003, and Audit directory service access control directory Service event audits can be used or set to unavailable. In Windows Server 2008, this policy is divided into four categories:

Directory service Access

Directory Service Changes

Directory Service replication

Detailed Directory Service replication

Global Audit Policy Audit directory service access controls whether the audit of directory service events can be used or set to unavailable. This security setting determines whether the security log records events when certain operations are performed on objects in the directory. An administrator can do what the audit does by modifying the system access Control List (SACL) of an object. In Windows Server 2008, this policy is implemented by default.

If you define this policy setting (by modifying the default domain Controller policy), the administrator can specify whether the audit succeeds, the audit fails, or does not audit. A successful audit can result in an audit landing when the user Chengdong accesses the AD DS object specified by the SACL. A failed audit can generate an audit login when the user fails to access the AD DS object specified by the SACL. In Windows Server 2003, audit events appear in a secure login with an ID number of 566. In Windows Server 2008, the Audit Policy subcategory directory service access also produces the same event, but the event ID number becomes 4662.

Audit AD DS Changes

New Audit Subcategories directory service changes can audit object changes in AD DS. The changes that can be audited are: Create, modify, move, and resume deletion of objects. The events generated by these actions appear on the security log, including previous and current property values.

The new policy subcategories add the following ability to audit in AD DS:

When an object property operation succeeds, AD DS records the previous and current property values. If the property has exceeded a value, only the result of the modify operation is logged as a property value.

If a new object has been created, a fixed property value is logged at the time of creation. These new property values are also recorded if the property is incremented during the operation. In most cases, AD DS assigns a default value to a property (for example, sAMAccountName). System property values are not logged.

If the object moves in one domain, the previous and new locations (in the form of distinguished name) will be logged. When an object is moved to another domain, the creation event is recorded in the domain controller of the target domain.

If the object is deleted, the location where the object is moved is recorded. In addition, if you add, modify, or delete properties in a restore delete operation, these property values are recorded.

If the object has been deleted, the change audit event cannot occur. However, if you activate directory service access, you can generate audit events.

When a directory service change is activated, AD DS logs events in the Security event log when an administrator changes the object that is set up for the audit. The following table describes these events.

Global Audit Policy

Activating the global Audit Policy Audit directory service Access can activate all directory service policy subcategories. The global audit policy can be set in the Default Domain controller Group Policy (under Security Settings \ Local policy \ Audit policy). In Windows Server 2008, the global Audit policy is activated by default. This subcategory is only set for successful audit practices. However, the two audit subcategories are independent of each other, and administrators can choose not to activate directory service access (Directory services access) and can still view the change events that are generated by the Child directory service change activation.

Policy Audit directory service Access is the only audit control available to the Active Directory in Windows Server and Windows Servers 2003. This control generates events that do not show any changes to the old and new values. Have new audit policy subcategories the directory service changes, and the successful changes to the directory can be recorded with the previous and current attribute values. The ability of an authenticated object property to change can make event logging more useful as a change-tracking mechanism that occurs throughout the lifetime of the object and reverts to the original property value, if needed.