By default, no
You would need to configure success / failure auditing on your domain
controllers for directory service object access (success auditing is enabled
by default)
Then, you would need to configure a SACL on the objects you want to monitor,
none are configured by default because the audit logs will fill up quickly
To configure a SACL in AD Users and Computers --> View --> Advanced Features
Right click the object you want to monitor and go to properties. Click the
security tab and then Advanced. Click the auditing tab. You will now be
looking at the SACL of the object, configure who you want to monitor and what
you want logged to the security log when the read attributes.
Be very cautious doing this on many users as the audit logs will grow
extremely quickly.
Brian Delaney
