auditing active directory not working properly directory service access
ThijsD
We have a large group of IT personnel that have full control on some
OU's in our Active Directory.
Recently someone changed the AD permissions on one of those OU's. In the
future we need to be able to track who has changed the permissions.
We have one domain and our domain controllers are running Windows Server
2003 SP1.
After enabling auditing for permission changes on the root of the
domain, my securitylog fills up with all sorts of DSA events, e.g. AD &
DNS replication, GAL lookups, ... Instead of only the events related to
permission changes.
This is what I did:
I've enabled in the Default Domain Controllers-policy, the "Directory
Services Access" policy to true. Then I did a gpupdate /force to reapply
the policy.
My securitylog immediately start to fill up with DSA events... (100
events/minute)
When I take a look in -> properties of root domain -> security ->
auditing, I see the following:
All, Everyone, Special, This object & all other objects.
When looking further at the 'special' auditing permission, I see lotsa
different checkboxes ticked, so it makes sense that the securitylog is
filling up with those events checked.
Now the weird thing is that when I remove the default auditing entry
(which logs almost everything) and add a new one that only logs
"changing permissions", the securitylog still keeps filling up with the
same events. Normally it should only log "permission changes" events
now, no?
How can I configure the auditing so it only logs events related to
permission changes on AD objects, more specific OU's? What am I doing wrong?
Thanks in advance!
Best regards,
ThijsD
Steven L Umbach
to see if any auditing is configured there also which you would also want to
remove. Another possibility is that your changes of what to audit has not
replicated to all domain controllers yet. You would want to configure
auditing only on the pertinent OUs and not on the domain container [unless
they have access there also] and audit only the specific group of users you
want to track. Do not audit for everyone, users, domain users, authenticated
users, etc for what you are trying to accomplish. Authenticates users and
everyone would also include all computers in the domain. When you enable
auditing of object access or directory services you will also see what seems
to be unrelated events recorded. You will also find that the free Event Comb
from MS will help scan the security logs for events and text strings you are
searching for. The command line tools dsacls may also be helpful in looking
for what is being audited per container if you use the /A switch as in "
dsacls OU=ouname,dc=mydomain,dc=com /A " . Look at the line for audit list:
which should be the second or third line down in the report. --- Steve
http://support.microsoft.com/default.aspx?scid=kb;en-us;308471 --- Event
Comb info.
"ThijsD" <Thi...@somewhere.net> wrote in message
news:GBb6f.28804$UK5.1...@phobos.telenet-ops.be...
ThijsD
Thank you for your answer.
I'll try this on monday and let you know how it went.
Best regards,
ThijsD
ThijsD
I did what you suggested, but I still have the same problem :(
I verified that all containers have no auditing entries set. (I double
checked) Then I've set just one audit entry on the specific OU and
specified a specific group. It didn't help though, my securitylog keeps
filling up at a speed of 3/4 events each second.
I've then deleted the audit entry to see if the securitylog keeps
filling up and yap, that was the case.
So when I just enable audit "Directory Service Access" in default DC
policy, without any audit entries set, it keeps filling up?!? How is
this possible??
What do you mean with enable auditing of "object access or directory
services"? I thought object access is only related to auditing of local
files/regkeys, not AD or am I wrong? With directory services you mean
directory service access I presume?
Thanks again for your help!
Best regards,
ThijsD