How to enable the audit log if active directory object (ex. User, group) got deleted or any modification in active directory object in 2003 Domain controller

Posted on 2011-04-20
Last Modified: 2012-05-11
I have a windows 2003 domain controller running, few days backup one domain user account got deleted and I started to find out when and who has deleted the account but did not get any log for this.
As audit log was not enabled duo to which I did not get the log, now I have enabled the Audit  Directory Services Access in Default Domain Controller Policy referring the below link but still I am not able to see the log for domain account deletion, creation or modification
Please help me to fix this issue.
Question by:bickysranjan
    LVL 57

    Accepted Solution

    That is a good KB to follow, so did you setup auditing in both places (object access and the OU) per the KB

    Check out this blog that includes screenshots that may help visualize it


    LVL 16

    Expert Comment

    Echoing mkline71's answer above; even when you add the Audit Policy to the DC's Group Policy, you still have to add an ACL to the AD objects before it will audit.

    Firstly, in the View menu in Active Directory Users & Computers, you will need to enable Advanced Features.  Then you can right-click an OU, choose Properties and then select the Security tab.  From there, click Advanced and then look at the Auditing tab.  You can add an entry here to control auditing for any action on the objects, or changes to the properties on the object.

    For thoroughness, you may want to add this audit ACL to the domain object itself, and add Full Control/Success and Full Control/Failure audit rules for the Everyone group.  This might lead to a lot of useless data though.


    Author Closing Comment

    Thanks mkline71
    Now i am able to see the log

    Featured Post

    Find Ransomware Secrets With All-Source Analysis

    Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

    Join & Write a Comment

    Suggested Solutions

    At some point in your work you may run into a need to globally assign a specific file type to open using a specific program. I recently was tasked with completing this objective. In my case it was setting the TSV file association to open with Excel.…
    The saying goes a bad carpenter blames his tools. In the Directory Services world a bad system administrator, well, even with the best tools they’re probably not going to become an all star.  However for the system admin who is willing to spend a li…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

    746 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now