HOW TO: Audit Active Directory Objects in Windows 2000 (314955)


The information in this article applies to:

  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Professional
This article was previously published under Q314955

IN THIS TASK

SUMMARY

This step-by-step article describes how to use Windows 2000 auditing to track user activities and system-wide events in Active Directory.

When you use Windows 2000 auditing, you can track both user activities and Windows 2000 activities, which are called events, on a computer. When you use auditing, you can specify which events are written to the Security log. For example, the Security log can maintain a record of both valid and invalid logon attempts and events that relate to creating, opening, or deleting files or other objects. An audit entry in the Security log contains the following information:
  • The action that was performed.
  • The user who performed the action.
  • The success or failure of the event and the time that the event occurred.
An audit policy setting defines the categories of events that Windows 2000 logs in the Security log on each computer. The Security log allows you to track the events that you specify.

When you audit Active Directory events, Windows 2000 writes an event to the Security log on the domain controller. For example, if a user tries to log on to the domain using a domain user account and the logon attempt is unsuccessful, the event is recorded on the domain controller and not on the computer on which the logon attempt was made. This behavior occurs because it is the domain controller that tried to authenticate the logon attempt but could not do so.

Use Event Viewer to view events that Windows 2000 logs in the Security log. You can also archive log files to track trends over time, for example, if you want to determine the use of either printers or files, or if you want to verify the use of unauthorized resources.

To enable auditing of Active Directory objects:
  1. Configure an audit policy setting for a domain controller.

    When you configure an audit policy setting, you can audit objects but you cannot specify which object you want to audit.
  2. Configure auditing for specific Active Directory objects.

    After you specify the events to audit for files, folders, printers, and Active Directory objects, Windows 2000 tracks and logs these events.

back to the top

How to Configure an Audit Policy Setting for a Domain Controller

Auditing is turned off by default. For domain controllers, an audit policy setting is configured for all domain controllers in the domain. To audit events that occur on domain controllers, configure an audit policy setting that applies to all domain controllers in a non-local Group Policy object (GPO) for the domain. You can access this policy setting through the Domain Controllers organizational unit. To audit user access to Active Directory objects, configure the Audit Directory Service Access event category in the audit policy setting.

NOTES:
  • You must grant the Manage Auditing And Security Log user right to the computer where you want to either configure an audit policy setting or review an audit log. By default, Windows 2000 grants these rights to the Administrators group.
  • The files and folders that you want to audit must be on Microsoft Windows NT file system (NTFS) volumes.
To configure an audit policy setting for a domain controller, follow these steps:
  1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. Click Advanced Features on the View menu.
  3. Right-click Domain Controllers, and then click Properties.
  4. Click the Group Policy tab, click Default Domain Controller Policy, and then click Edit.
  5. Click Computer Configuration, double-click Windows Settings, double-click Security Settings, double-click Local Policies, and then double-click Audit Policy.
  6. In the right pane, right-click Audit Directory Services Access, and then click Security.
  7. Click Define These Policy Settings, and then click to select one or both of the following check boxes:
    • Success: Click to select this check box to audit successful attempts for the event category.
    • Failure: Click to select this check box to audit failed attempts for the event category.
  8. Right-click any other event category that you want to audit, and then click Security.
  9. Click OK.
  10. Because the changes that you make to your computer's audit policy setting take effect only when the policy setting is propagated (or applied) to your computer, complete one of the following steps to initiate policy propagation:
    • Type secedit /refreshpolicy machine_policy at the command prompt, press ENTER, and then restart the computer.

      -or-
    • Wait for automatic policy propagation, which occurs at regular intervals that you can configure. By default, policy propagation occurs every eight hours.
  11. Open the Security log to view logged events. NOTE: If you are either a domain or an enterprise administrator, you can enable security auditing for workstations, member servers, and domain controllers remotely.
back to the top

How to Configure Auditing for Specific Active Directory Objects

After you configure an audit policy setting, you can configure auditing for specific objects, such as users, computers, organizational units, or groups, by specifying both the types of access and the users whose access that you want to audit.

To configure auditing for specific Active Directory objects, follow these steps:
  1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. Verify that Advanced Features is selected on the View menu (the command has a check mark beside it).
  3. Right-click the Active Directory object that you want to audit, and then click Properties.
  4. Click the Security tab, and then click Advanced.
  5. Click the Auditing tab, and then click Add.
  6. Do one of the following steps:
    • Type the name of either the user or the group whose access you want to audit in the Enter the object name to select box, then click OK.

      -or-
    • Browse the list of names, and then double-click either the user or the group whose access you want to audit.
  7. Click to select either the Successful check box or the Failed check box for the actions that you want to audit, and then click OK.
  8. Click OK, and then click OK.
back to the top

Troubleshooting

The Security log is limited in size; therefore, it is recommended that you carefully choose the files and the folders that you want audit. Also consider the amount of disk space that you want to devote to the Security log. The maximum size is defined in Event Viewer.

back to the top


REFERENCES

For additional information about auditing in Windows 2000, click the article number below to view the article in the Microsoft Knowledge Base:

300549 HOW TO: Enable and Apply Windows Security Auditing

248260 How to Enable Local Security Auditing in Windows 2000

252412 HOW TO: Enabling Local Auditing Policies on Windows 2000

301640 How to Set, View, Change, Remove Auditing for Files or Folders

310399 HOW TO: Audit User Access of Files, Folders, and Printers in Windows XP

223441 How to Reset ACL Inheritance in the Windows 2000 File System

For more information about auditing policy settings and the difference between local policies and domain policies, refer to Windows 2000 Help.

back to the top




Modification Type:MajorLast Reviewed:11/19/2003
Keywords:kbhowto kbHOWTOmaster KB314955 kbAudITPro
©2003 Microsoft Corporation. All rights reserved.