Event Log Managment

Logs .. Logs and More Logs

Do you need to track who/where/when for activities done against the OU’s in your AD?

With Windows 2003 those were difficult questions to answer, we could get some very basic information from Directory Services Auditing; but it was limited and you had to read through several cryptic events (id 566).  With the advanced auditing settings with Windows 2008 R2 you can get some better information (you can do this same thing with Windows 2008 but it has to be done via command line and applied every time servers restart).

I don’t want to bore you with Windows 2003 auditing or the command line options for Windows 2008 Domains (if you need them, I will get you the information).  So let’s just jump right to using Windows 2008 R2, because we can now apply the advanced auditing settings via Group Policy.

Now when you turn on the Advanced Audit Policy Configuration you are turning OFF the basic or standard Audit Policies.  The Advanced Audit Policy Configuration allows you to control what AD will audit at a more granular level.  Now for the focus of this discussion we are only going to talk about setting up auditing for activity on our Domain Controllers, the other systems in your environment will be a different discussion.

So where do we start so that we can answer our question at the top of this discussion?

First, turn on the correct auditing.  Open up Group Policy Management Editor and drill down as seen in Fig 1.  **Take note of the green highlight.

GPO to Track OU changesFig 1

For this discussion we are focusing on DS Access and its subcategories.  We only want to turn on Audit Directory Service Changes, see Fig 2.  This category only generates events on domain controllers and is very useful for tracking changes to Active Directory objects that have object level auditing enabled. These events not only tell you what object and property was changed and by whom but also the new value of the affected properties.

GPO part 2Fig 2

Now that we have step 1 completed, setting up AD for auditing, it’s time to configure WHAT we want to audit.  This next step is done via Active Directory Users and Computers.  Open up the properties of your AD and drill down to setup the auditing for Create and Delete Organizational Unit objects as seen in Fig 3.

Fig 3

Now we need to add more granularity so we need to do this process 1 more time and this time instead of checking boxes on the Object tab we are going to check 2 boxes on the Properties tab, see Fig 4.

Fig 4

Now that our auditing is setup what type of events can we expect to see?

Here are a few examples:

In this example (Fig 5), id 5137, we see an OU being created by the Administrator.

Fig 5

Figure 6 shows a Sub OU being created.

Fig 6

Figure 7 shows id 5139, an OU being moved.

Fig 7

Now for the best one, this one comes as a pair of messages – OU rename, part of id 5136.

Figure 8 shows the first part of the rename process.

Fig 8

Figure 9 shows the second part of the rename process.

Fig 9

Now let’s contrast all of this with an event that is part of the good old standard auditing.   Let’s take moving an OU; with the Advanced Auditing we get id 5139 (fig 7), nice and easy to read and understand.  Now here is id 4662 that you would get for the same thing with standard auditing, fig 10.

Fig 10

With standard auditing some of the other items that we looked at would be next to impossible with auditing, such as tracking when an OU is renamed and as you can see from fig 10 hard to read and understand if you did get an event.

Now if your AD is in Mixed Mode (W2k8 and W2k3) you are stuck with standard auditing.


August 16, 2012 Posted by | Audit Policy, Audting, Directory Services, Event Log, Windows 2008 | , , , , , , , , , | Leave a comment

Directory Services Auditing

I’ve been asked by a customer to take a look at their level of Directory Services Auditing.  I’m not able to share their screen shots but can scrub an email that I sent to them and post it here.

When it comes to Directory Services Auditing I always tell people less is more, if you already understand what the other audit policies give you then you can get 85% to 90% of what you need from those.  There are somethings that you will have to get via Directory Services Auditing there’s just no getting around it.  But just as with the case of Object Access be very carefull what you turn on or you will flood yourself with junk noise events.  The major pain is that all events generated by Directory Services use the same event id no matter what action you are doing and are very cryptic.

Here is the email:

” As we talked about on the phone today there is a lot of auditing turned on where Microsoft hasn’t given very much information about what it generates and even some that are currently not used.  Example: Intellimirror-Group is used by remote boot legacy for managing groups of server machines and is currently not used.   Based on the screen shot you sent me I can see that the objects are currently being monitored which are generating a lot of noise events for you.  You might be better suited to audit the properties instead of the objects.  Example, if you want to know when a user has been given access to someone else’s inbox you need to monitor for changes to the property: msExchMailboxSecurityDescriptor; or if you want to know who made a GPO change then you need to monitor for changes to the properties: gpLink and gPOptions.  Most of the information that you can find via MSDN in regards to these audit objects is related to developers and not what the audit trail will give you.  Keep in mind that Microsoft considers the Directory Services auditing a low level audit, so the events that are generated are pretty cryptic in nature and all use the same event id. 

 There are a few of the objects that you would want to monitor to help get a more full picture of what is happening such as: Computer, User, OU, Shares, Group objects.  Monitoring these will give you things such as what OU a user was created in, where the Account Mgmt auditing does not give you this.  Also Account Mgmt auditing does not give you OU auditing (as again Microsoft considers this to be a low level object).

 In most companies it’s easy to turn on Auditing but very difficult to get it turned off and this is where Admins get themselves and others into a painful spot.  How to prove what is not needed when Microsoft doesn’t document what the auditing does or doesn’t do.

 Other examples:

msSFU30MailAliases – represents UNIX mail file data

nisMap – contains the generic abstraction of an NIS map

oncRpc – represents an abstraction of the Open Network Computing (ONC) Remote Procedure Call (RPC) binding

msRTCSIP-EdgeProxy – this attribute is reserved for future use

msRTCSIP-TrustedWebComponentsServerData – this attribute is reserved for future use”

Here are a few of the links where I pulled this data from:




November 23, 2009 Posted by | Directory Services, Log Management | , | Leave a comment