audit AD

[sentmemail]

hi,
is there anyway to audit who reset user accounts in the active directory?
thanks

 

[LiLithTecH]

Yes. By setting up "Audit directory service access" in AD Group Policy.

 

[sentmemail]

can i do that if i only have access to my OU and not the entire AD?

 

[PowerMacG5]

Originally posted by: sentmemail
can i do that if i only have access to my OU and not the entire AD?

Yes, you can apply this setting AD wide, or OU wide. As long as you have access to the GPO, you can set this.

 

[stash]

Keep in mind that order of application of policy is LSDOU, but order of precedence is OUDSL. This means that the policy you set on your OU will have a higher precedence than higher level policies (such as domain level).

But if the higher level admins dont want you to mess with audit settings, then they can set no override on their policy. No override has precedence over block inheritance, so your policy will be replaced with the higher level policy, even if you turn the block inheritance bit on.

So it might be something you want to run by the higher level admins first. They should at least be auditing directory service access failures at the domain level (which you would inherit), but they may not want you to audit successes (massive log generation, possibly).

 

[sentmemail]

thanks