deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-30 06:07:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity
windows-itpro-docs/windows/security/threat-protection/auditing/audit-directory-service-access.md
Stephanie Savell 11a40a465a Metadata replacement.
2023-07-06 13:22:03 -05:00

5.8 KiB
Raw Blame History

title, description, ms.assetid, ms.reviewer, manager, ms.author, ms.pagetype, ms.prod, ms.mktglfcycl, ms.sitesec, ms.localizationpriority, author, ms.date, ms.technology, ms.topic
title description ms.assetid ms.reviewer manager ms.author ms.pagetype ms.prod ms.mktglfcycl ms.sitesec ms.localizationpriority author ms.date ms.technology ms.topic
Audit Directory Service Access The policy setting Audit Directory Service Access determines if audit events are generated when an Active Directory Domain Services (AD DS) object is accessed. ba2562ba-4282-4588-b87c-a3fcb771c7d0 aaroncz vinpa security windows-client deploy library low vinaypamnani-msft 09/06/2021 itpro-security reference

Audit Directory Service Access

Audit Directory Service Access determines whether the operating system generates audit events when an Active Directory Domain Services (AD DS) object is accessed.

Event volume: High on servers running AD DS role services.

This subcategory allows you to audit when an Active Directory Domain Services (AD DS) object is accessed. It also generates Failure events if access was not granted.

Computer Type General Success General Failure Stronger Success Stronger Failure Comments
Domain Controller No Yes No Yes It is better to track changes to Active Directory objects through the Audit Directory Service Changes subcategory. However, Audit Directory Service Changes doesnt give you information about failed access attempts, so we recommend Failure auditing in this subcategory to track failed access attempts to Active Directory objects.
For recommendations for using and analyzing the collected information, see the Security Monitoring Recommendations sections. Also, develop an Active Directory auditing policy (SACL design for specific classes, operation types which need to be monitored for specific Organizational Units, and so on) so you can audit only the access attempts that are made to specific important objects.
Member Server No No No No This subcategory makes sense only on domain controllers.
Workstation No No No No This subcategory makes sense only on domain controllers.

Events List:

  • 4662(S, F): An operation was performed on an object.

  • 4661(S, F): A handle to an object was requested.