By chatting and providing personal info, you understand and agree to our Terms of Service and Privacy Policy.
Corporate Site
Overview
How it works
For Home
Step-by-Step Guides
Get Tech Support
|
1-808-210-2095

How to Audit Organizational Units (OUs) Changes in Active Directory

Authored by: Support.com Tech Pro Team

1. Introduction

How to Audit Organizational Units (OUs) Changes in Active Directory

 

2. Step 1: Enable Auditing of Organizational Unit Changes

Do the following to enable the auditing of Organizational Unit changes

  1. Open Group Policy Management Console.
  2. In the left navigation pane, go to the domain, and select a customized Group Policy Object in the “Domain Controllers” node.
  3. We recommend you to make such changes only in the customized GPOs and not in the default policies 
  4. You can also create a new policy by right-clicking and selecting the “Create a GPO in this domain and Link it here…” option in the context menu.
  5. Right-click the already existing or new GPO, and select the “Edit” option from the context menu. It opens Group Policy Management Editor.
  6. In the left navigation pane, expand the nodes to navigate through “Computer Configuration” ➔ “Policies” ➔ “Windows Settings” ➔ “Security Settings” ➔ “Advanced audit policy configuration” ➔ “Audit Policies”.
  7. Click the “DS Access” node to list all of its policies in the right panel.
  1. Double-click the “Audit Directory Service access” policy to access its properties.
  2. Configure it for both “Success” and “Failure” audit events.
  3. Similarly, enable “Audit Directory Service Changes” by configuring it for both “Success” and “Failure” audit events.
  4. Close the “Group Policy Management Editor” window. It takes you back to the “Group Policy Management Console”.
  5. Select the GPO under the “Domain Controllers” group, which you have just modified in the previous steps.
  6. In the “Security Filtering” section of the right pane, click “Add” to apply this GPO to all Active Directory objects. It shows the “Select User, Computer, or Group” window.
  7. Type “Everyone” to apply this GPO to all objects.
  8. Click “Check Names” to validate the entry and click “OK” to add it.
  9. It takes you back to the “Group Policy Management Console”. Now close this window.
  10. After applying the GPO to all objects, you have to update the Group Policies in the entire forest. To do it, execute the following command either in the “Run” dialog box or at Command Prompt. Please start any of these utilities with administrative privileges.gpudpate /force

3. Step 2: Enable Auditing in ADSI Edit

After enabling the auditing of Active Directory for auditing, let’s select what we want to audit:

  1. Go to Start Menu or “Control Panel” and access “Administrative Tools”.
  2. Open “ADSI Edit” window.
  3. Right-click “ADSI Edit” node in the left navigation pane and click “Connect To” option.
  4. In “Connection Settings” window, select “Default naming context” In “Select a well known Naming Context” drop-down menu.
  5. Click “OK” to connect to “Default Naming Context”. It takes you back to “ADSI Edit” window.
  6. Double-click the root node “Default Naming Context” to expand and access its sub-nodes.
  7. Right-click the top node titled “DC=www,DC=domain,DC=com” and click “Properties”.
  8. In “Properties”, switch to “Security” tab and click “Advanced” button to access “Advanced Security Settings for www”.
  9. Switch to “Auditing” tab.
  1. Click “Add” to add a new auditing entry. It shows “Auditing entry for www” on the screen.
  2. Click “Select a Principal” link. It shows “Select User, Computer, Service Account or Group” window.
  3. Type “Everyone” in the text box to audit the changes made by all Active Directory objects in the Organizational Units. You can enter the name of user or group to audit changes made by them only.
  4. Click “Check Names” to verify the entry and Click “OK” to add it.
  5. Click “OK”. It takes you back to “Auditing Entry for www” window, which now shows “Everyone”.
  6. Enter “All” “Type” box to audit both successful and failed events.
  7. Select “This object and all descendent objects” in the “Applies to” field. It enables the auditing on the descendant objects of Organizational Units also.
  8. Select “Full Control” in the “Permissions” to audit everything.
  1. Click “Apply” and “OK”.
  2. Close the console

4. Step 3: Viewing events

After configuring auditing, open Event Viewer. Search security log for the following event IDs.

  • Event ID 5136: A directory service object (Organizational Unit) was modified.
  • Event ID 5137: A directory service object (Organizational Unit) was created.
  • Event ID 5139: A directory service object (Organizational Unit) was moved.
  • Event ID 5141: A directory service object (Organizational Unit) was deleted.

In these events’ types, you can see who created, modified, deleted, or changed permissions of a GPO. The following screenshot shows an OU creation event (5137). You can get information like Username, Event time, and new OU’s name in this window.

You can scroll down in the event to view the name of the created organizational unit.

The following screenshot displays the log of multiple events like 5141 for deleted organizational unit and 5136 for modified organizational units.

Privacy Matters

Support.com is committed to your privacy
We do not share or sell your data to third parties. We do use cookies and other third-party technologies to improve our site and services. The California Consumer Privacy Act (CCPA) gives you the ability to opt out of the use of cookies, third-party technologies and/or the future sale of your data. Do not sell my personal information.

Support.com is committed to your privacy
Read our Privacy Policy for a clear explanation of how we collect, use, disclose and store your information

©2024 RealDefense LLC. Support.com is a trademark owned by RealDefense LLC.
PRIVACY
TERMS OF USE