Your network consists of a single Active Directory domain.
All domain controllersrun Windows Server 2008 R2.
The Audit account management policysetting and Audit directory services accesssetting are enabled for
the entire domain.
You need to ensure that changes made to Active Directory objects can be logged.
The logged changes must include the old and new values of any attributes.
What should you do?
A.
Run auditpol.exe and then configure the Security settings of the Domain Controllers OU.
B.
From the Default Domain Controllers policy, enable the Audit directory service access setting and enable
directory service changes.
C.
Enable the Audit account management policy in theDefault Domain Controller Policy.
D.
Run auditpol.exe and then enable the Audit directory service access setting in the Default Domain policy.
Explanation:
Answer.Run auditpol.exe and then configure the Security settings of the Domain Controllers OU.
http://technet.microsoft.com/en-us/library/cc731607%28v=ws.10%29.aspx
AD DS Auditing Step-by-Step Guide
In Windows Server 2008 you can now set up AD DS auditing with a new audit subcategory to log old and new
valueswhen changes are made to objects and their attributes.
..
The ability to audit changes to objects in AD DS isenabled with the new audit policy subcategory Directory
Service Changes. This guide provides instructions for implementing this audit policy subcategory.
The types of changes that you can audit include a user (or any security principal) creating, modifying, moving,
or undeleting an object. The new audit policy subcategory adds the following capabilities to auditing in AD DS:
When a successful modify operation is performed on an attribute, AD DS logs the previous and current
values of the attribute. If the attribute has more than one value, only the values that change as a result of
the modify operation are logged.
If a new object is created, values of the attributes that are populated at the time of creation are logged. If the
user adds attributes during the create operation, those new attribute values are logged. In most cases, AD
DS assigns default values to attributes (such as samAccountName). The values of such system attributes
are not logged.
If an object is moved, the previous and new location (distinguished name) is logged for moves within the
domain. When an object is moved to a different domain, a create event is generated on the domain
controller in the target domain.
If an object is undeleted, the location where the object is moved to is logged. In addition, if the user adds,
modifies, or deletes attributes while performing anundelete operation, the values of those attributesare
logged.
..
In Windows Server 2008, you implement the new auditing feature by using the following controls:
Global audit policy
System access control list (SACL)
Schema
Global audit policy
Enablingthe global audit policy, Audit directory service access, enables all directory service policy
subcategories. You can set this global audit policyin the Default Domain Controllers Group Policy (under
Security Settings\Local Policies\Audit Policy). In Windows Server 2008, this global audit policy is not enabled by
default. Although the subcategory Directory ServiceAccess is enabled for success events by default, the other
subcategories are not enabled by default.
You can use the command-line tool Auditpol.exe to view or set auditpolicy subcategories. There is no
Windows interface tool available in Windows Server 2008 to view or set audit policy subcategories.
Further information:
http://technet.microsoft.com/en-us/library/cc731451%28v=ws.10%29.aspx
Auditpol
Displays information about and performs functions to manipulate audit policies.
http://servergeeks.wordpress.com/2012/12/31/auditing-directory-services/
AD Scenario – Auditing Directory Services
Auditing of Directory Services depends on several controls, these are:
1. Global Audit Policy (at category level using gpmc.msctool)
2. Individual Audit Policy (at subcategory levelusing auditpol.exetool)
3. System ACLs – to specify which operations areto be audited for a security principal.
4. Schema (optional) – this is an additional control in the schema that you can use to create exceptions to
what is audited.
In Windows Server 2008, you can now set up AD DS (Active Directory Domain Services) auditing with a new
audit policy subcategory (Directory Service Changes) to log old and new values when changes are made to AD
DS objects and their attributes. This can be done using auditpol.exe tool.
Command to check which audit policies are active onyour machine:
auditpol /get /category:*
Command to view the audit policy categories and Subcategories:
How to enable the global audit policy using the Windows interface i.e. gpmc tool
Click Start, point to Administrative Tools, and then Group Policy Managementor run gpmc.msc
command
In the console tree, double-click the name of the forest, double-click Domains, double-click the name of
your domain, double-click Domain Controllers, right-click Default Domain Controllers Policy, and then
click Edit.
Under Computer Configuration, double-click Policies, double-click Windows Settings, double-click
Security Settings, double-click Local Policies, and then click Audit Policy.
In the details pane, right-click Audit directory service access, and then click Properties.
Select the Define these policy settingscheck box.
Under Audit these attempts, select the Success, check box, and then click OK.
How to enable the change auditing policy using a command line
Click Start, right-click Command Prompt, and then click Run as administrator.
Type the following command, and then press ENTER:
auditpol /set /subcategory:”directory service changes” /success:enable
To verify if the auditing is enabled or not for “Directory Service Changes”, you can run below command:
auditpol /get /category:”DS Access”
How to set up auditing in object SACLs
Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
Right-click the organizational unit (OU) (or any object) for which you want to enable auditing, and then click
Properties.
Click the Securitytab, click Advanced, and then click the Auditingtab.
Click Add, and under Enter the object name to select, type Authenticated Users (or any other security
principal) and then click OK.
In Apply onto, click Descendant User objects(or any other objects).
Under Access, select the Successfulcheck box for Write all properties.
Click OKuntil you exit the property sheet for the OU or other object.
To Test whether auditing is working or not, try creating or modifying objects in Finance OU and check the
Security event logs.
I just created a new user account in Finance OU named f4.
If you check the security event logs you will find eventid 5137 (Create)
Note:
Once the auditing is enabled these eventids will appear in security event logs: 5136 (Modify), 5137 (Create),
5138 (Undelete), 5139 (Move).
