How can I run an audit on Active directory admin users to see what they have changed.

Why are you giving users Domain Admins access just to perform simple tasks such as Reset Passwords, Unlock User Accounts etc.? This completely defies the rule of 'only give just as many permissions as required' - having users as complete Domain Admins when it isn't required is just a major security risk.

I suggest you remove these Domain Admin privileges from users, and add all the users who need the elevated privileges to a Security group. You can then Delegate Control over particular OUs to that security group - so you can delegate the rights to reset a password without the need for users to be a major security risk to your company network. See http://www.windowsecurity.com/articles/Built-in-Groups-Delegation.html.

And as for auditing what has already been done, you can use the approach KCTS has posted, but remember you CANNOT enable this and expect to see audit logs from before it was enabled. You can only see the audited logs from the moment of enabling this feature.

-tigermatt

Hi guys thanks for you replys I have turned this on and there already seems to be loads of security logs flying around in event viewer especialy logon logoff etc. I can now see if an admin goes in and resets a password but doesn't seem to show anything if they goint a user and give themselves access to there mailbox. Also is this the only way of logging as it seems that you have to keep an eye on it all the time is there no way it can just email you when a certain event occurs?

Thanks

Ok guys thanks for your help!