Getting Excited and Palpitations all at once !

I am prepping hard for the Windows 2008 Launch Event in Birmingham which I will be taking a small part in by delivering part of  a session with Matt Mcspirit of Microsoft.  This will be the "Core Infrastructure Improvements" section.During my prep I would just like to highlight some great new Auditing Features in Windows 2008 which are I think are really useful for Support Personnel to keep an Audit Trail of what is happening within their Active Directory Domain Services Environment. Previously in Windows 2003 there was only one Audit Policy for Auditing Directory Service Access. This was "Audit Directory Service Access". This was not exactly all encompassing and did not give a "before" or "after" snapshot of what settings had been modified or changed. Well this has been vastly improved with Windows 2008. The policy has now been divided down into four different subcategories;

Directory Service Access

Directory Service Changes

Directory Service Replication

Detailed Directory Service Replication

The downside is that to switch these subcategories there is no GUI. You need to use a command line tool called Auditpol.exe which takes a bit of practise.

For example to switch on  Success auditing for "Directory Service Changes" so you get a before and after notification of what has changed when and how, you type the following command at the command prompt

Auditpol /set subcategory:"Directory service changes" /success:enable

Once entered you "switch on" some extended Event ID's which will be written away to the Security event log when triggered by a monitored Directory Service Change to an Active Directory Objects attribute.

5136 - An Attribute of the object has been modified

5137 - The object was created

5138 - The object has been undeleted

5139 - The object has been moved within the domain.

Therefore if I enable a disabled user account JLEWIS. I should expect to see the following Event Codes in the Active Directory Security Event Log.


1. 4662 = The user object has been accessed

2. 5136 = records the old value of the attribute

3. 5136 = records the new value of the attribute

Comments (0)

Skip to main content