Your network consists of a single Active Directory domain.
All domain controllersrun Windows Server 2008 R2.
Auditingis configured to log changes made to the Managed By attributeon group objectsin an
organizational unitnamed OU1.
You need to log changes made to the Description attribute on all group objects in OU1 only.
What should you do?
A.
Run auditpol.exe.
B.
Modify the auditing entry for OU1.
C.
Modify the auditing entry for the domain.
D.
Create a new Group Policy Object (GPO). Enable Audit account management policy setting. Link the GPO
to OU1.
Explanation:
http://ithompson.wordpress.com/tag/organizational-unit-move/
Do you need to track who/where/when for activities done against the OU’s in your AD?
With Windows 2003 those were difficult questions toanswer, we could get some very basic information from
Directory Services Auditing; but it was limited andyou had to read through several cryptic events (id566). With
the advanced auditing settings with Windows 2008 R2you can get some better information (you can do this
same thing with Windows 2008 but it has to be done via command line and applied every time servers restart).
I don’t want to bore you with Windows 2003 auditingor the command line options for Windows 2008 Domains
(if you need them, I will get you the information).So let’s just jump right to using Windows 2008 R2, because
we can now apply the advanced auditing settings viaGroup Policy.
Now when you turn on the Advanced Audit Policy Configuration you are turning OFF the basic or standardAudit
Policies. The Advanced Audit Policy Configuration allows you to control what AD will audit at a more granular
level. Now for the focus of this discussion we areonly going to talk about setting up auditing for activity on our
Domain Controllers, the other systems in your environment will be a different discussion.
So where do we start so that we can answer our question at the top of this discussion?
First, turn on the correct auditing. Open up GroupPolicy Management Editor and drill down as seen inFig 1.
**Take note of the green highlight.
For this discussion we are focusing on DS Access and its subcategories. We only want to turn on Audit
Directory Service Changes, see Fig 2. This category only generates events on domain controllers and is very
useful for tracking changes to Active Directory objects that have object level auditing enabled. Theseevents not
only tell you what object and property was changed and by whom but also the new value of the affected
properties.
Now that we have step 1 completed, setting up AD for auditing, it’s time to configure WHAT we want to audit.
This next step is done via Active Directory Users and Computers. Open up the properties of your AD and drill
down to setup the auditing for Create and Delete Organizational Unit objects as seen in Fig 3.
Now we need to add more granularity so we need to do this process 1 more time and this time instead of
checking boxes on the Object tab we are going to check 2 boxes on the Properties tab, see Fig 4.
Now that our auditing is setup what type of events can we expect to see?
Here are a few examples:
In this example (Fig 5), id 5137, we see an OU being created by the Administrator.
Figure 6 shows a Sub OU being created.
Figure 7 shows id 5139, an OU being moved.
Now for the best one, this one comes as a pair of messages – OU rename, part of id 5136.
Figure 8 shows the first part of the rename process.
Figure 9 shows the second part of the rename process.
Now let’s contrast all of this with an event that is part of the good old standard auditing. Let’s take moving an
OU; with the Advanced Auditing we get id 5139 (fig 7), nice and easy to read and understand. Now hereis id
4662 that you would get for the same thing with standard auditing, fig 10.
With standard auditing some of the other items thatwe looked at would be next to impossible with auditing,
such as tracking when an OU is renamed and as you can see from fig 10 hard to read and understand if you
did get an event.
Now if your AD is in Mixed Mode (W2k8 and W2k3) youare stuck with standard auditing.
