Active DirectoryMicrosoft TechnologiesWindows Server

Step-by-Step guide to audit active directory changes using “Directory Service Changes” auditing

As Administrator/Engineer it is important to audit the object access on the infrastructure to identify security issues, problems etc. it also helps to troubleshoot this issues.

In windows folder or a file access can audit using audit object access policy. Same way the audit directory service access policy allows to audit access attempts to object in active directory. This is enable by default and configured to audit the “Success Events”. But there are few disadvantages on this.

1)    Difficulties of finding the attribute changes
2)    Impossible to know the old value of an attribute

To overcome this issue windows server 2008 adds an auditing category called “Directory Service Changes”. With this we can simply identify the old and new attributes values.

It is not enabled by default and needs to activate manually.

1)    Log in to the domain controller as Domain admin or Enterprise admin.
2)    Load powershell console with admin rights.
3)    Type auditpol /set /subcategory:"directory service changes" /success:enable and press enter.

audit1

4)    In order to test the auditing, I already have usera and userb added to the Domain admins group. I am going to remove usera from the group and check the auditing.
5)    To check the log entries go to Event viewer > Windows Log > Security
6)    As per below we can see the detail description including,

  • What type of change
  • At what type it was triggered
  • Attribute
  • What is the new value
  • Which group it is

audit2

As we can see it gives great deal of information which can use in troubleshooting, auditing.

If you have any question about the post feel free to contact me on rebeladm@live.com

Related posts
Cyber SecurityMicrosoft Entra IDMicrosoft Technologies

Step-by-Step Guide : Process Entra ID Entitlement Management Access Package on-behalf of another user (preview)

Entra ID Entitlement Management access packages enable administrators to offer a self-service…
Read more
Azure servicesMicrosoft Entra IDMicrosoft Technologies

Step-by-Step Guide: Configure Entra ID lifecycle workflow to trigger mover task on user profile changes

The Entra ID lifecycle workflow is a feature of Microsoft Entra ID identity governance and Microsoft…
Read more
Cyber SecurityMicrosoft Entra IDMicrosoft Technologies

Step-by-Step Guide: How to setup Entra ID Restricted management Administrative Units ?

In my previous blog post, I discussed what Entra ID Administrative Units are and how they can be…
Read more
Newsletter
Become a Trendsetter

Sign up and get the best of RebelAdmin, tailored for you.

1 Comment

Leave a Reply

Your email address will not be published. Required fields are marked *