Hi today It’s Ad ds auditing time!
Purproses:
Log specific info from the domain that can be interesting for the admins
Prerequisites
Admin permissions
Be familiar with group policy
AD DS rolle must be installed
Feature required : Group Policy Management ( installed )
Enabling the audit policy ( windows interface )
First we must to do is modify the default domain policy
1) Execute gpmc.msc
2) Edit the default domain policy
Computer Configuration, double-click Policies, double-click Windows Settings, double-click Security Settings, double-click Local Policies, and then click Audit Policy.
Select “Audit directory services access” , “define these policy settings” , “success”
To enable the change auditing policy using a command line run the following command:
auditpol /set /subcategory:”directory service changes” /success:enable
Setting the sacl ( System access control list )
First open dsa.msc an search a Ou where you want to audit ( click on properties and remember use ” advanced features check” ), Go to security item and click ” advanced ”
Click on “auditing” zone
We select “Write all properties” , apply and exit
Check on ” access that object has ben changed”
Testing the audit
We create a user
Delete that user… open MMC .exe and add ” event viewer console “
You can try to move , create more objects and check the event logs
Later you can user this for your own script listing… etc etc etc hehe
Enjoy !
Learn & check more at :
https://technet.microsoft.com/en-us/library/cc731607%28v=ws.10%29.aspx
sevenitblog.com 