Reporting On OU changes

Posted on 2005-04-22
Last Modified: 2013-12-04

I would like to find out if there is some kind of tool, be it in AD or external to generate reports that would tell me who moved
machines in and out of specific OU's so that i can keep track of why machines are being moved around in these OU's for security purposes.


Question by:RMBTechnology
    1 Comment
    LVL 3

    Accepted Solution

    This will create an entry in the security log of the DC and allow you to see who has edited/moved the object. However as you'll see below it is a generic error you will receive.

    The auditing is to be enabled on a DC and the security setup on the OU, below are instructions and defaults.


    Audit directory service accessDescription
    This security setting determines whether to audit the event of a user accessing an Active Directory object that has its own system access control list (SACL) specified.

    By default, this value is set to no auditing in the Default Domain Controller Group Policy object (GPO), and it remains undefined for workstations and servers where it has no meaning.

    If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event type at all. Success audits generate an audit entry when a user successfully accesses an Active Directory object that has a SACL specified. Failure audits generate an audit entry when a user unsuccessfully attempts to access an Active Directory object that has a SACL specified. To set this value to No auditing, in the Properties dialog box for this policy setting, select the Define these policy settings check box and clear the Success and Failure check boxes.

    Note that you can set a SACL on an Active Directory object by using the Security tab in that object's Properties dialog box. This is the same as Audit object access, except that it applies only to Active Directory objects and not to file system and registry objects.


    Success on domain controllers.
    Undefined for a member computer.
    Configuring this security setting
    You can configure this security setting by opening the appropriate policy and expanding the console tree as such: Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\

    For specific instructions about how to configure auditing policy settings, see To define or modify auditing policy settings for an event category.

    There is only one directory service access event, which is identical to the Object Access security event message 566.

    Directory service access events
    566 A generic object operation took place.


    Featured Post

    Enabling OSINT in Activity Based Intelligence

    Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

    Join & Write a Comment

    As I write this article, I am finishing cleanup from the Qakbot virus variant found in the wild on April 18, 2011.  It was a messy beast that had varying levels of infection, speculated as being dependent on how long it resided on the infected syste…
    The term "Bad USB" is a buzz word that is usually used when talking about attacks on computer systems that involve USB devices. In this article, I will show what possibilities modern windows systems (win8.x and win10) offer to fight these attacks wi…
    To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

    745 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now