Module 7: Auditing Active Directory Domain Services Changes

1. Module 7:Auditing Active Directory Domain Services Changes

2. Module Overview • What’s New with AD DS Auditing • Implementing AD DS Change Auditing

3. Lesson 1: What’s New with AD DS Auditing • Auditing Overview • Auditing with Windows Server 2008

4. Auditing Overview Audit directory service access Directory service access events Description 566A generic object operation took place

5. Auditing with Windows Server 2008 Audit Directory Service Access Directory Service Access Directory Service Changes Directory Service Replication Detailed Directory Service Replication

6. Lesson 2: Implementing AD DS Change Auditing • Global Audit Policy • System Access Control List • Schema • New AD DS Auditing Events • Attribute Syntaxes

7. Global Audit Policy Windows Server 2000 and Windows Server 2003 Directory service access events Description 566A generic object operation took place Windows Server 2008 Directory service access events Description 4662 generic object operation took place

8. System Access Control List SACL

9. Schema Schema Event Type 1 Event Type 2 Event Type 3 Event Type 4 Event Type 5 Audited

10. New AD DS Auditing Events Modify 5136 Create 5137 Undelete 5138 Move 5139

11. Attribute Syntaxes Registry setting information is as follows: • Location: HKLM\System\CurrentControlSet\Services\NTDS\Setting name: MaximumStringBytesToAudit • Type: REG_DWORD • Values • Default registry value: 1000 • Minimum registry value: 0 • Maximum registry value 64000

12. Review • What’s New with AD DS Auditing • Implementing AD DS Change Auditing

13. Lab: Using AD DS Auditing • Exercise 1: Set-up AD DS Auditing • Exercise 2: Create and View Auditing Events