Reviewing Audit Settings on Important Active Directory Objects
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 R2
Setting Audit Policy for domain controllers is only part of the task for auditing domain controllers for maximum security. In Windows Server 2003, auditing is also enabled by default on important Active Directory objects.
The audit settings that are described in this section are not enabled by default in Active Directory in Windows 2000. If you upgrade from Windows 2000, the audit settings at the time of the upgrade are maintained and the Windows Server 2003 auditing default settings are not applied. By adding the audit settings that are described in this section, you can bring your Windows Server 2003 Active Directory configuration into alignment with the default audit settings. If you are installing a new Windows Server 2003 domain, no additional audit settings are required.
Audit settings for an Active Directory object affect the permission settings that make up the SACL on the object. To provide auditing of access to the most important Active Directory objects, auditing is enabled by default on the topmost object of each directory partition. Directory partitions are logical divisions of the Active Directory database. In Windows Server 2003, auditing is enabled by default on the following Active Directory objects:
The schema directory partition. Use ADSI Edit to set auditing on schema directory partition objects. ADSI Edit is a Windows Support Tool that is available as a Microsoft Management Console (MMC) snap-in when you have Windows Support Tools installed. For information about installing and using Windows Support Tools, click Tools in Help and Support Center, and then click Windows Support Tools.
The configuration directory partition, including specific settings on the Sites and Services containers and on certain child objects. Use ADSI Edit to set auditing on configuration directory partition objects.
Each domain directory partition, including specific settings on the Domain Controllers OU, Infrastructure object, System container, and certain child objects in the System container. Use Active Directory Users and Computers to set auditing on domain directory partition objects.
For information about how to enable audit settings, see “Enabling Auditing on Important Active Directory Objects” in Appendix: Procedures later in this guide.
Default audit settings for each directory partition are described in the following sections.
The schema-related directory operations that are audited by the default settings in Table 23 include any additions, deletions, or modifications to objects in the Schema container in the schema directory partition, as well as the transfer of the Schema operations master role.
| Type | Name | Access | Apply To | |
|---|---|---|---|---|
|
Success |
Everyone |
Modify Permissions Modify Owner Create All Child Objects Delete Delete All Child Objects Delete Subtree |
This object only |
|
|
Success |
Everyone |
Write All Properties |
This object and all child objects |
|
|
Success |
Everyone |
Change Schema Master |
This object only |
|
|
Success |
Everyone |
Reanimate Tombstones |
This object only |
|
|
Success |
Administrators |
All Extended Rights |
This object only |
|
|
Success |
Domain Users |
All Extended Rights |
This object only |
|
Default audit settings for the Configuration container and child objects in the configuration directory partition are listed in Table 24, Table 25, Table 26, Table 27, and Table 28.
The directory operations that are audited by the settings in Table 24 include any modifications to the permissions and the wellKnownObjects attribute on the configuration directory partition.
| Type | Name | Access | Apply To | |
|---|---|---|---|---|
|
Success |
Everyone |
Modify Permissions Modify Owner Write All Properties |
This object only |
|
|
Success |
Everyone |
Reanimate Tombstones |
This object only |
|
|
Success |
Administrators |
All Extended Rights |
This object only |
|
|
Success |
Domain Users |
All Extended Rights |
This object only |
|
The directory operations that are audited by the settings in Table 25 include the following:
Addition and removal of domain controllers in the forest
Addition and removal of Group Policy settings that are applied to a site
Association and disassociation of a subnet with a site
Execution of the following control operations on a domain controller: Do Garbage Collection, Recalculate Hierarchy, Recalculate Security Inheritance, and Check Stale Phantoms
Addition, removal, and modification of site links
Addition, removal, and modification of connections
| Type | Name | Access | Apply To | |
|---|---|---|---|---|
|
Success |
Everyone |
Create All Child Objects Delete Delete All Child Objects Delete Subtree |
This object and all child objects |
|
|
Success |
Everyone |
All Extended Rights |
Domain Controller Settings objects |
|
|
Success |
Everyone |
Write gPLink (property) Write gPOptions (property) |
Site objects |
|
|
Success |
Everyone |
Write siteObject (property) |
Subnet objects |
|
The directory operations that are audited by the settings in Table 26 include the following:
Addition and removal of domains (or external directory knowledge references) in the forest
Modifications to valid UPN Suffixes for the forest
Transfer of the domain naming operations master role
| Type | Name | Access | Apply To | |
|---|---|---|---|---|
|
Success |
Everyone |
Modify Permissions Modify Owner Write All Properties Create All Child Objects Delete Delete All Child Objects Delete Subtree All Extended Rights |
This object and all child objects |
|
The directory operations that are audited by the settings in Table 27 include changes to the dSHeuristics attribute, which controls certain characteristics of forest-wide behavior of the directory service.
Table 27 Auditing for CN=Directory Service,CN=Windows,CN=Services,CN=Configuration,DC=ForestRootDomain
| Type | Name | Access | Apply To | |
|---|---|---|---|---|
|
Success |
Everyone |
Write dSHeuristics (property) |
This object only |
|
The directory operations that are audited by the settings in Table 28 include changes to forest-wide parameters that govern the behavior of Lightweight Directory Access Protocol (LDAP)–based queries and operations.
Table 28 Auditing for CN=Default Query Policy,CN=Query-Policies,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=ForestRootDomain
| Type | Name | Access | Apply To | |
|---|---|---|---|---|
|
Success |
Everyone |
Write lDAPAdminLimits (property) |
This object only |
|
Default audit settings for objects in the domain container of the domain directory partition are listed in Table 29, Table 30, Table 31, Table 32, Table 33, and Table 34.
The directory operations that are audited by the settings in Table 29 include the following:
Transfer of the PDC emulator operations master role
Addition and removal of Group Policy settings that are applied to the domain
Modifications to valid DNS Suffixes for the domain
Modifications to the permissions and the wellKnownObjects attribute on the domain directory partition.
Migration of SID history
| Type | Name | Access | Apply To | |
|---|---|---|---|---|
|
Success |
Everyone |
Modify Permissions Modify Owner Write All Properties |
This object only |
|
|
Success |
Administrators |
All Extended Rights |
This object only |
|
|
Success |
Domain Users |
All Extended Rights |
This object only |
|
|
Success* |
Everyone |
Write gPLink Write gPOptions |
Organizational Unit objects |
|
* Do not add these policies if you are upgrading from Windows 2000 to Windows Server 2003. Doing so causes the security descriptor on every object in the domain to be edited, which can result in significant database growth and increased background processing to apply these access control entries (ACEs) to all objects.
The directory operations that are audited by the settings in Table 30 include the following:
Addition and removal of domain controllers for the domain
Modifications to any properties of domain controller computer accounts
| Type | Name | Access | Apply To | |
|---|---|---|---|---|
|
Success |
Everyone |
Modify Permissions Modify Owner Create All Child Objects Delete Delete All Child Objects Delete Subtree |
This object only |
|
|
Success |
Everyone |
Write All Properties |
This object and all child objects |
|
The directory operations that are audited by the settings in Table 31 include the transfer of the infrastructure operations master role.
| Type | Name | Access | Apply To | |
|---|---|---|---|---|
|
Success |
Everyone |
All Extended Rights Write All Properties |
This object only |
|
The directory operations that are audited by the settings in Table 32 include the following:
Addition and removal of GPOs
Modifications to GPOs
| Type | Name | Access | Apply To | |
|---|---|---|---|---|
|
Success |
Everyone |
Modify Permissions Modify Owner Create groupPolicyContainer Objects Delete Delete groupPolicyContainer Objects Delete Subtree |
This object only |
|
|
Success |
Everyone |
Modify Permissions Write All Properties |
groupPolicyContainer objects |
|
The directory operations that are audited by the settings in Table 33 include modifications to the special security descriptor that protects all service administrator accounts.
| Type | Name | Access | Apply To | |
|---|---|---|---|---|
|
Success |
Everyone |
Modify Permissions Modify Owner Write All Properties |
This object only |
|
The directory operations that are audited by the settings in Table 34 include the transfer of the relative ID (RID) operations master role.
| Type | Name | Access | Apply To | |
|---|---|---|---|---|
|
Success |
Everyone |
All Extended Rights Write All Properties |
This object only |
|