Enable auditing of account management will log the creation and changes to
users and groups. I pasted a description from the help file for more info.
You can audit Directory Service access to audit OU's. I've pasted info
below about each audit setting.
Audit account management
Description
This security setting determines whether to audit each event of account
management on a computer. Examples of account management events include:
a.. A user account or group is created, changed, or deleted.
b.. A user account is renamed, disabled, or enabled.
c.. A password is set or changed.
If you define this policy setting, you can specify whether to audit
successes, audit failures, or not audit the event type at all. Success
audits generate an audit entry when any account management event succeeds.
Failure audits generate an audit entry when any account management event
fails. To set this value to No auditing, in the Properties dialog box for
this policy setting, select the Define these policy settings check box and
clear the Success and Failure check boxes.
Default:
a.. Success on domain controllers.
b.. No auditing on member servers
Configuring this security setting
You can configure this security setting by opening the appropriate policy
and expanding the console tree as such: Computer Configuration\Windows
Settings\Security Settings\Local Policies\Audit Policy\
For specific instructions about how to configure auditing policy settings,
see To define or modify auditing policy settings for an event category.
Account Management Events
624 A user account was created.
627 A user password was changed.
628 A user password was set.
630 A user account was deleted.
631 A global group was created.
632 A member was added to a global group.
633 A member was removed from a global group.
634 A global group was deleted.
635 A new local group was created.
636 A member was added to a local group.
637 A member was removed from a local group.
638 A local group was deleted.
639 A local group account was changed.
641 A global group account was changed.
642 A user account was changed.
643 A domain policy was modified.
644 A user account was auto locked.
645 A computer account was created.
646 A computer account was changed.
647 A computer account was deleted.
648 A local security group with security disabled was created.
Note: SECURITY_DISABLED in the formal name means that this group
cannot be used to grant permissions in access checks.
649 A local security group with security disabled was changed.
650 A member was added to a security-disabled local security group.
651 A member was removed from a security-disabled local security
group.
652 A security-disabled local group was deleted.
653 A security-disabled global group was created.
654 A security-disabled global group was changed.
655 A member was added to a security-disabled global group.
656 A member was removed from a security-disabled global group.
657 A security-disabled global group was deleted.
658 A security-enabled universal group was created.
659 A security-enabled universal group was changed.
660 A member was added to a security-enabled universal group.
661 A member was removed from a security-enabled universal group.
662 A security-enabled universal group was deleted.
663 A security-disabled universal group was created.
664 A security-disabled universal group was changed.
665 A member was added to a security-disabled universal group.
666 A member was removed from a security-disabled universal group.
667 A security-disabled universal group was deleted.
668 A group type was changed.
684 Set the security descriptor of members of administrative groups.
Note: Every 60 minutes on a domain controller a background thread
searches all members of administrative groups (such as domain, enterprise,
and schema administrators) and applies a fixed security descriptor on them.
This event is logged.
685 Name of an account was changed.
For more information about security events, see Security
Events(
http://www.microsoft.com/) on the Microsoft Windows Resource Kits Web
site.
For more information, see:
a.. Auditing policy
b.. Best practices for auditing
c.. Security Configuration Manager Tools
Audit directory service access
Description
This security setting determines whether to audit the event of a user
accessing an Active Directory object that has its own system access control
list (SACL) specified.
By default, this value is set to no auditing in the Default Domain
Controller Group Policy object (GPO), and it remains undefined for
workstations and servers where it has no meaning.
If you define this policy setting, you can specify whether to audit
successes, audit failures, or not audit the event type at all. Success
audits generate an audit entry when a user successfully accesses an Active
Directory object that has a SACL specified. Failure audits generate an audit
entry when a user unsuccessfully attempts to access an Active Directory
object that has a SACL specified. To set this value to No auditing, in the
Properties dialog box for this policy setting, select the Define these
policy settings check box and clear the Success and Failure check boxes.
Note that you can set a SACL on an Active Directory object by using the
Security tab in that object's Properties dialog box. This is the same as
Audit object access, except that it applies only to Active Directory objects
and not to file system and registry objects.
Default:
a.. Success on domain controllers.
b.. Undefined for a member computer.
Configuring this security setting
You can configure this security setting by opening the appropriate policy
and expanding the console tree as such: Computer Configuration\Windows
Settings\Security Settings\Local Policies\Audit Policy\
For specific instructions about how to configure auditing policy settings,
see To define or modify auditing policy settings for an event category.
There is only one directory service access event, which is identical to the
Object Access security event message 566.
Directory service access events
566 A generic object operation took place.
For more information about security events, see Security
Events(
http://www.microsoft.com/) on the Microsoft Windows Resource Kits Web
site.
For more information, see:
a.. Auditing policy
b.. Best practices for auditing
c.. Security Configuration Manager Tools
--
--
Tim Hines, MCSE, MCSA
Windows 2000 Directory Services
=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
