Module 7: Auditing Active Directory Domain Services Changes

Module Overview What’s New with AD DS Auditing Implementing AD DS Change Auditing

Lesson 1: What’s New with AD DS Auditing Auditing Overview Auditing with Windows Server 2008

Auditing Overview Audit directory service access generic object operation took place 566A DescriptionDirectory service access events

Auditing with Windows Server 2008 Audit Directory Service Access Directory Service Access Directory Service Changes Directory Service Replication Detailed Directory Service Replication

Lesson 2: Implementing AD DS Change Auditing Global Audit Policy System Access Control List Schema New AD DS Auditing Events Attribute Syntaxes

Global Audit Policy generic object operation took place 566A DescriptionDirectory service access events generic object operation took place 4662 DescriptionDirectory service access events Windows Server 2000 and Windows Server 2003 Windows Server 2008

System Access Control List SACL

Schema Event Type 1 Event Type 2 Event Type 3 Event Type 4 Event Type 5 Audited

New AD DS Auditing Events Modify5136 Create5137 Undelete5138 Move5139

Attribute Syntaxes Registry setting information is as follows: Location: HKLM\System\CurrentControlSet\Services\ NTDS\Setting name: MaximumStringBytesToAudit Type: REG_DWORD Values  Default registry value: 1000  Minimum registry value: 0  Maximum registry value 64000

Review What’s New with AD DS Auditing Implementing AD DS Change Auditing

Lab: Using AD DS Auditing Exercise 1: Set-up AD DS Auditing Exercise 2: Create and View Auditing Events