We help IT Professionals succeed at work.

What is the default auditing SACL in AD DS?

We wish to implement auditing of our AD DS in order to track changes in specific AD OUs and who made them.  We are using a third party tool to crunch through all the events and make them a little easier to deal with.  We have Windows Server 2008 domain controllers, and are following this document as a guide:

http://technet.microsoft.com/en-us/library/cc731607(WS.10).aspx

In following the steps in the section titled section "Step 2: Set up auditing in object SACLs", we found that at the domain level, auditing was already configured as follows:

Type: All
Name: Everyone
Access: Special
Inherited from: <not inherited>
Apply to: This object and all descendant objects

As you can imagine, that produces a significant number of events.  So many that it is hard to sift through them even with the help of additional tools.  I want to know what is the default SACL configuration for auditing?  Did someone set this up or is this what should be there from the get-go?  Would we somehow need to propogate the removal of this entry down through the AD DS hierarchy?  My instinct is to remove this entry, and set up similar entries on the OUs we wish to concern ourselves with.

Thanks for any info.
Comment
Watch Question

LAN/WAN Systems Administrator
BRONZE EXPERT
Commented:
ZenVenkyArchitect
Commented:
grv

Author

Commented:
Both useful reads.  Thanks for those.  mcsween, it looks like the audit policy I describe on our Domain Directory Partition is not a default configuration.

 Audit policy screen shot
Essentially, any modification anyone makes to any object is audited, which is not something listed in your document.

Looking at the output of an "auditpol /get /category:*", I see that DS Access has the subcategory Directory Service Changes audited for Success.  Do you think that this would have caused the audit config I am seeing to be applied?

If I want to selectively audit certain OUs, would I leave the subcategory Directory Service Changes set as is (enabled for success), remove the audit config at the domain level (or possibly confine the scope to the domain object), and then recreate it at the OU level for those OUs I am concerned with?

Also, as I asked before, if this is the right way to get what I want, when I remove the config at the domain level, will it propogate automatically or will I need to do something specifically to remove the settings from sub objects so that I can apply them more selectively?

Thanks again.
grv

Author

Commented:
Actually, it looks like this is the only audit policy applied at any level in ADUC.  All the default ones from your document are not listed at those levels when I check.  Removing or changing the audit config at the domain level may be bad, given that fact.  I sort of need to get back to sqare one and then turn a few things on beyond that, selectively.
Bradley FoxLAN/WAN Systems Administrator
BRONZE EXPERT

Commented:
I'm not sure there is an easy way to get back to the default settings...