?
Solved

How to enable the audit log if active directory object (ex. User, group) got deleted or any modification in active directory object in 2003 Domain controller

Posted on 2011-04-20
3
Medium Priority
?
590 Views
Last Modified: 2012-05-11
Hi,
I have a windows 2003 domain controller running, few days backup one domain user account got deleted and I started to find out when and who has deleted the account but did not get any log for this.
As audit log was not enabled duo to which I did not get the log, now I have enabled the Audit  Directory Services Access in Default Domain Controller Policy referring the below link but still I am not able to see the log for domain account deletion, creation or modification
http://support.microsoft.com/kb/814595
Please help me to fix this issue.
0
Comment
Question by:bickysranjan
3 Comments
 
LVL 57

Accepted Solution

by:
Mike Kline earned 2000 total points
ID: 35435949
That is a good KB to follow, so did you setup auditing in both places (object access and the OU) per the KB

Check out this blog that includes screenshots that may help visualize it

http://blogs.dirteam.com/blogs/tomek/archive/2006/09/21/Auditing-directory-changes-aka-_2600_quot_3B00_Who-deleted-this-object_3F002600_quot_3B00_.aspx

Thanks

Mike
0
 
LVL 16

Expert Comment

by:jimbobmcgee
ID: 35436088
Echoing mkline71's answer above; even when you add the Audit Policy to the DC's Group Policy, you still have to add an ACL to the AD objects before it will audit.

Firstly, in the View menu in Active Directory Users & Computers, you will need to enable Advanced Features.  Then you can right-click an OU, choose Properties and then select the Security tab.  From there, click Advanced and then look at the Auditing tab.  You can add an entry here to control auditing for any action on the objects, or changes to the properties on the object.

For thoroughness, you may want to add this audit ACL to the domain object itself, and add Full Control/Success and Full Control/Failure audit rules for the Everyone group.  This might lead to a lot of useless data though.

J.
0
 

Author Closing Comment

by:bickysranjan
ID: 35436640
Thanks mkline71
Now i am able to see the log
0

Featured Post

Become an Android App Developer

Ready to kick start your career in 2018? Learn how to build an Android app in January’s Course of the Month and open the door to new opportunities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
Transferring FSMO roles is done when an admin wants to split roles between certain Domain Controllers or the Domain Controller holding the Roles has been forcefully demoted using dcpromo / forceremoval
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses

609 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question