We wish to implement auditing of our AD DS in order to track changes in specific AD OUs and who made them. We are using a third party tool to crunch through all the events and make them a little easier to deal with. We have Windows Server 2008 domain controllers, and are following this document as a guide:
In following the steps in the section titled section "Step 2: Set up auditing in object SACLs", we found that at the domain level, auditing was already configured as follows:
Inherited from: <not inherited>
Apply to: This object and all descendant objects
As you can imagine, that produces a significant number of events. So many that it is hard to sift through them even with the help of additional tools. I want to know what is the default SACL configuration for auditing? Did someone set this up or is this what should be there from the get-go? Would we somehow need to propogate the removal of this entry down through the AD DS hierarchy? My instinct is to remove this entry, and set up similar entries on the OUs we wish to concern ourselves with.
Thanks for any info.