Wednesday, June 30, 2010

Which administrative tasks to audit in Active Directory

As you may know, auditing for identity and access management is actually configured in the Active Directory, and in fact audit entries are generated in the audit logs on domain controllers.

It is important to ensure that you audit the enactment of all vital administrative tasks, but at the same time it is also important to ensure that you do not go overboard so as to result in the unnecessary excessive filling up of your audit logs.

With that in mind, here is a list of some of the most important administrative tasks that you should audit for in your Active Directory -
  1. Creation and deletion of domain user accounts
  2. Resetting domain user account passwords
  3. Disabling and enabling of domain user accounts
  4. Unlocking domain user accounts
  5. Creation and deletion of domain security groups
  6. Changing domain security group memberships
  7. Changing domain security group scopes
  8. Changing domain security group types
  9. Creation and deletion of organizational units
  10. Linking and unlinking of GPOs to organizational units
  11. Creation and deletion of service connection points
  12. Changing a service connection point keywords

These tasks are all sensitive in that if someone could carry out these tasks with malicious motives, they could negatively impact the security of your Active Directory and thus the security of your IT infrastructure.

You can enable auditing of these tasks by modifying  the SACL on Active Directory object, which by the way can be accessed by viewing the security descriptor of Active Directory objects.



  1. Hi Charles,

    I happened to come across your blog, so thought I'd leave a note.

    I've been wanting to blog for a while now, and have a little blog of my own as well over as Active Directory Forestry, but I just can't seem to find the time.

    We've been very busy helping clients understand how to analyze and audit security permissions in Active Directory because it is so important to Active Directory security.

    We came across a valuable Active Directory Audit Tool and its been very helpful as we perform many an Active Directory Audit for our clients. Thought I'd mention it.

    If you have some time, do stop by. I would love to hear from you.


  2. Hi Charles,

    As Domain Admins / Enterprise Admins we often delegate administrative tasks in Active Directory and from time to time need to know who is delegated what access in Active Directory.

    In my experience, I have found that it how to find out who is delegated what access in Active Directory is not as easy as it seems, but in fact can be quite difficult.

    I've seen many admins try to use a Permissions Analyzer for Active Directory but finding out who has what permissions in Active Directory is not the same thing.

    I recently came across an Active Directory Audit Tool that makes is super easy to find out who is delegated what access in Active Directory. Thought you may like to know.