Information Technology Reference
In-Depth Information
Audit Account Logon Events
You enable this auditing event if you want to audit when a
user authenticates with a domain controller and logs onto the domain. This event is logged
in the security log on the domain controller.
Audit Account Management
This auditing event is used when you want to watch what
changes are being made to Active Directory accounts. For example, when another
administrator creates or deletes a user account, it would be an audited event.
Audit Directory Service Access
This auditing event occurs whenever a user or administrator
accesses Active Directory objects. Let's say that an administrator opens Active Directory and
clicks a user account; even if nothing is changed on that account, an event is logged.
Audit Logon Events
Account logon events are created for domain account activity. For
example, you have a user who logs on to a server so that they can access files; the act of
logging onto the server creates this audit event.
Audit Object Access
Audit object access allows you to audit objects within your network
such as folders, files, and printers. If you suspect someone is trying to hack into an object
(for example, the
finance
folder), this is the type of auditing that you would use. You still
would need to enable auditing on the actual object (for example, the
finance
folder).
Audit Policy Change
Audit policy change allows you to audit changes to user rights
assignment policies, audit policies, or trust policies. This auditing allows you to see whether
anyone changes any of the other audit policies.
Audit Privilege Use
Setting the audit privilege use allows an administrator to audit each
instance of a user exercising a user right. For example, if a user changes the system time on
a machine, this is a user right. Logging on locally is another common user right.
To audit access to objects stored within Active Directory, you must enable the Audit
Directory Service Access option. Then you must specify which objects and actions should
be tracked.
Exercise 7.2 walks through the steps you must take to implement auditing of Active
Directory objects on domain controllers.
exerciSe 7.2
enabling auditing of active directory objects
1.
Open the Local Security Policy tool (located in the Administrative Tools program group).
2.
Expand Local Policies
➢
Audit Policy.
3.
Double-click the setting for Audit Directory Service Access.
4.
In the Audit Directory Service Access Properties dialog box, place check marks next to
Success and Failure. Click OK to save the settings.
5.
Close the Local Security Policy tool.
Search WWH ::
Custom Search