Delegating an OU for auditing

Posted on 2009-02-23
Last Modified: 2012-05-06

I am administering an Ou within an Active Directory domain. I have been asked to audit user logons, password changes etc under my OU. At present I cannot view the Security Log in the Event Viewer of the Domain Controller (we have a DC at our branch office as well).
What do I need to ask my Head Office to delegate to me so that I can view it and also what would I need so I can manage the audit policies of objects under my managed OU?

Question by:shcedtech
    LVL 18

    Accepted Solution

    To have access to the security log in teh event viewer of DCs, it has nothing to do with what administering an OU. What you need to do is ask your Domain admins to configure the Default Domain Controllers Policy to allow you to Manage auditing and security log. Or your Domain Admins can create a group and make you a member of this group then assign this group right to manage auditing and security log. By default only Builtin\Administrators have this right. Here's the step of the Domain Controller Policy:Computer Configuration>Windows Settings>Local Policies>User Rights Assignment>Manage auditing and security log.

    Now, if this same setting is configure in a separate GPO and linked to the OU where your computers is placed in, then you also have access to those computers' security event log but not much use as all the logon and password changeds events are from the Security event log of your DCs.

    Author Comment

    Thanks, Americom
    Looks like I will need to have access to the Security log of the DCs. And then ask for GPO rights to my managed OUs

    Featured Post

    Do You Know the 4 Main Threat Actor Types?

    Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

    Join & Write a Comment

    The saying goes a bad carpenter blames his tools. In the Directory Services world a bad system administrator, well, even with the best tools they’re probably not going to become an all star.  However for the system admin who is willing to spend a li…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
    This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now