DS Auditing in Windows Server 2008

by Nirmal Sharma [Published on 6 May 2009 / Last Updated on 31 Dec. 2008]

This article explains the new functionality offered by auditing in Windows Server 2008.

Directory Services auditing have been there since Windows 2000. In Windows Server 2008, the DS Auditing has been changed. It offers some new functionality. In previous versions of Windows, there was one DS Auditing category and all the changes (Add/Delete/Modify) were logged using the same category. Windows Server 2008 includes four DS Auditing categories as listed below:

  • Directory Service Access               
  • Directory Service Changes               
  • Directory Service Replication         
  • Detailed Directory Service Replication

You can enable/disable each category using the new command line tool (Auditpol.exe) supplied with Windows Server 2008 Active Directory Domain. Please use the Auditpol.exe /? to list the switches.

Please note the following improvements with DS Auditing:

  • New Event Ids (Create-5137, Modify-5136, Move-5139, 5138)
  • Settings of auditing are stored in LSA Locally now                   
  • Global Audit Policy is enabled by default                                   
  • Old values are also logged now.                                                
  • New command line tool support for enabling/disabling Auditing categories                                                      
  • SearchFlags=9th bit or value=256 allows not to log changes for an attribute.                                                            
  • If you upgrade with auditing off, you must enable Auditing in 2008.

 

Featured Links