Export (0) Print
Expand All

Reviewing Audit Settings on Important Active Directory Objects

Updated: December 2, 2007

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 R2

Setting Audit Policy for domain controllers is only part of the task for auditing domain controllers for maximum security. In Windows Server 2003, auditing is also enabled by default on important Active Directory objects.

The audit settings that are described in this section are not enabled by default in Active Directory in Windows 2000. If you upgrade from Windows 2000, the audit settings at the time of the upgrade are maintained and the Windows Server 2003 auditing default settings are not applied. By adding the audit settings that are described in this section, you can bring your Windows Server 2003 Active Directory configuration into alignment with the default audit settings. If you are installing a new Windows Server 2003 domain, no additional audit settings are required.

Audit settings for an Active Directory object affect the permission settings that make up the SACL on the object. To provide auditing of access to the most important Active Directory objects, auditing is enabled by default on the topmost object of each directory partition. Directory partitions are logical divisions of the Active Directory database. In Windows Server 2003, auditing is enabled by default on the following Active Directory objects:

  • The schema directory partition. Use ADSI Edit to set auditing on schema directory partition objects. ADSI Edit is a Windows Support Tool that is available as a Microsoft Management Console (MMC) snap-in when you have Windows Support Tools installed. For information about installing and using Windows Support Tools, click Tools in Help and Support Center, and then click Windows Support Tools.

  • The configuration directory partition, including specific settings on the Sites and Services containers and on certain child objects. Use ADSI Edit to set auditing on configuration directory partition objects.

  • Each domain directory partition, including specific settings on the Domain Controllers OU, Infrastructure object, System container, and certain child objects in the System container. Use Active Directory Users and Computers to set auditing on domain directory partition objects.

For information about how to enable audit settings, see “Enabling Auditing on Important Active Directory Objects” in Appendix: Procedures later in this guide.

Default audit settings for each directory partition are described in the following sections.

Reviewing Default Audit Settings on the Schema Directory Partition

The schema-related directory operations that are audited by the default settings in Table 23 include any additions, deletions, or modifications to objects in the Schema container in the schema directory partition, as well as the transfer of the Schema operations master role.

Table 23  Auditing for CN=Schema,CN=Configuration,DC=ForestRootDomain

Type Name Access Apply To

Success

Everyone

Modify Permissions

Modify Owner

Create All Child Objects

Delete

Delete All Child Objects

Delete Subtree

This object only

Success

Everyone

Write All Properties

This object and all child objects

Success

Everyone

Change Schema Master

This object only

Success

Everyone

Reanimate Tombstones

This object only

Success

Administrators

All Extended Rights

This object only

Success

Domain Users

All Extended Rights

This object only

Reviewing Default Audit Settings on the Configuration Directory Partition

Default audit settings for the Configuration container and child objects in the configuration directory partition are listed in Table 24, Table 25, Table 26, Table 27, and Table 28.

The directory operations that are audited by the settings in Table 24 include any modifications to the permissions and the wellKnownObjects attribute on the configuration directory partition.

Table 24  Auditing for CN=Configuration,DC=ForestRootDomain

Type Name Access Apply To

Success

Everyone

Modify Permissions

Modify Owner

Write All Properties

This object only

Success

Everyone

Reanimate Tombstones

This object only

Success

Administrators

All Extended Rights

This object only

Success

Domain Users

All Extended Rights

This object only

The directory operations that are audited by the settings in Table 25 include the following:

  • Addition and removal of domain controllers in the forest

  • Addition and removal of Group Policy settings that are applied to a site

  • Association and disassociation of a subnet with a site

  • Execution of the following control operations on a domain controller: Do Garbage Collection, Recalculate Hierarchy, Recalculate Security Inheritance, and Check Stale Phantoms

  • Addition, removal, and modification of site links

  • Addition, removal, and modification of connections

Table 25  Auditing for CN=Sites,CN=Configuration,DC=ForestRootDomain

Type Name Access Apply To

Success

Everyone

Create All Child Objects

Delete

Delete All Child Objects

Delete Subtree

This object and all child objects

Success

Everyone

All Extended Rights

Domain Controller Settings objects

Success

Everyone

Write gPLink (property)

Write gPOptions (property)

Site objects

Success

Everyone

Write siteObject (property)

Subnet objects

The directory operations that are audited by the settings in Table 26 include the following:

  • Addition and removal of domains (or external directory knowledge references) in the forest

  • Modifications to valid UPN Suffixes for the forest

  • Transfer of the domain naming operations master role

Table 26  Auditing for CN=Partitions,CN=Configuration,DC=ForestRootDomain

Type Name Access Apply To

Success

Everyone

Modify Permissions

Modify Owner

Write All Properties

Create All Child Objects

Delete

Delete All Child Objects

Delete Subtree

All Extended Rights

This object and all child objects

The directory operations that are audited by the settings in Table 27 include changes to the dSHeuristics attribute, which controls certain characteristics of forest-wide behavior of the directory service.

Table 27  Auditing for CN=Directory Service,CN=Windows,CN=Services,CN=Configuration,DC=ForestRootDomain

Type Name Access Apply To

Success

Everyone

Write dSHeuristics (property)

This object only

The directory operations that are audited by the settings in Table 28 include changes to forest-wide parameters that govern the behavior of Lightweight Directory Access Protocol (LDAP)–based queries and operations.

Table 28  Auditing for CN=Default Query Policy,CN=Query-Policies,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=ForestRootDomain

Type Name Access Apply To

Success

Everyone

Write lDAPAdminLimits (property)

This object only

Reviewing Default Audit Settings on the Domain Directory Partition

Default audit settings for objects in the domain container of the domain directory partition are listed in Table 29, Table 30, Table 31, Table 32, Table 33, and Table 34.

The directory operations that are audited by the settings in Table 29 include the following:

  • Transfer of the PDC emulator operations master role

  • Addition and removal of Group Policy settings that are applied to the domain

  • Modifications to valid DNS Suffixes for the domain

  • Modifications to the permissions and the wellKnownObjects attribute on the domain directory partition.

  • Migration of SID history

Table 29  Auditing for DC=domain,DC=ForestRootDomain

Type Name Access Apply To

Success

Everyone

Modify Permissions

Modify Owner

Write All Properties

This object only

Success

Administrators

All Extended Rights

This object only

Success

Domain Users

All Extended Rights

This object only

Success*

Everyone

Write gPLink

Write gPOptions

Organizational Unit objects

* Do not add these policies if you are upgrading from Windows 2000 to Windows Server 2003. Doing so causes the security descriptor on every object in the domain to be edited, which can result in significant database growth and increased background processing to apply these access control entries (ACEs) to all objects.

The directory operations that are audited by the settings in Table 30 include the following:

  • Addition and removal of domain controllers for the domain

  • Modifications to any properties of domain controller computer accounts

Table 30  Auditing for OU=Domain Controllers,DC=domain,DC=…ForestRootDomain

Type Name Access Apply To

Success

Everyone

Modify Permissions

Modify Owner

Create All Child Objects

Delete

Delete All Child Objects

Delete Subtree

This object only

Success

Everyone

Write All Properties

This object and all child objects

The directory operations that are audited by the settings in Table 31 include the transfer of the infrastructure operations master role.

Table 31 Settings for CN=Infrastructure,DC=domain,DC=…ForestRootDomain

Type Name Access Apply To

Success

Everyone

All Extended Rights

Write All Properties

This object only

Reviewing Default Audit Settings on the Policies Container

The directory operations that are audited by the settings in Table 32 include the following:

  • Addition and removal of GPOs

  • Modifications to GPOs

Table 32   Settings for CN=Policies,CN=System,DC=domain,DC=…ForestRootDomain

Type Name Access Apply To

Success

Everyone

Modify Permissions

Modify Owner

Create groupPolicyContainer Objects

Delete

Delete groupPolicyContainer Objects

Delete Subtree

This object only

Success

Everyone

Modify Permissions

Write All Properties

groupPolicyContainer objects

The directory operations that are audited by the settings in Table 33 include modifications to the special security descriptor that protects all service administrator accounts.

Table 33  Settings for CN=AdminSDHolder,CN=System,DC=domain,DC=…ForestRootDomain

Type Name Access Apply To

Success

Everyone

Modify Permissions

Modify Owner

Write All Properties

This object only

The directory operations that are audited by the settings in Table 34 include the transfer of the relative ID (RID) operations master role.

Table 34  Settings for CN=RID Manager$,CN=System,DC=domain,DC=…ForestRootDomain

Type Name Access Apply To

Success

Everyone

All Extended Rights

Write All Properties

This object only

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft