DS Auditing in Windows Server 2008
Directory Services auditing have been there since Windows 2000. In Windows Server 2008, the DS Auditing has been changed. It offers some new functionality. In previous versions of Windows, there was one DS Auditing category and all the changes (Add/Delete/Modify) were logged using the same category. Windows Server 2008 includes four DS Auditing categories as listed below:
- Directory Service Access
- Directory Service Changes
- Directory Service Replication
- Detailed Directory Service Replication
You can enable/disable each category using the new command line tool (Auditpol.exe) supplied with Windows Server 2008 Active Directory Domain. Please use the Auditpol.exe /? to list the switches.
Please note the following improvements with DS Auditing:
New Event Ids (Create-5137, Modify-5136, Move-5139, 5138)
Settings of auditing are stored in LSA Locally now
Global Audit Policy is enabled by default
Old values are also logged now.
New command line tool support for enabling/disabling Auditing categories
SearchFlags=9th bit or value=256 allows not to log changes for an attribute.
If you upgrade with auditing off, you must enable Auditing in 2008.