It is important to ensure that you audit the enactment of all vital administrative tasks, but at the same time it is also important to ensure that you do not go overboard so as to result in the unnecessary excessive filling up of your audit logs.
With that in mind, here is a list of some of the most important administrative tasks that you should audit for in your Active Directory -
- Creation and deletion of domain user accounts
- Resetting domain user account passwords
- Disabling and enabling of domain user accounts
- Unlocking domain user accounts
- Creation and deletion of domain security groups
- Changing domain security group memberships
- Changing domain security group scopes
- Changing domain security group types
- Creation and deletion of organizational units
- Linking and unlinking of GPOs to organizational units
- Creation and deletion of service connection points
- Changing a service connection point keywords
These tasks are all sensitive in that if someone could carry out these tasks with malicious motives, they could negatively impact the security of your Active Directory and thus the security of your IT infrastructure.
You can enable auditing of these tasks by modifying the SACL on Active Directory object, which by the way can be accessed by viewing the security descriptor of Active Directory objects.