Audit Directory Service Access

Applies to

  • Windows 10
  • Windows Server 2016

Audit Directory Service Access determines whether the operating system generates audit events when an Active Directory Domain Services (AD DS) object is accessed.

Event volume: High on servers running AD DS role services.

This subcategory allows you to audit when an Active Directory Domain Services (AD DS) object is accessed. It also generates Failure events if access was not granted.

Computer Type General Success General Failure Stronger Success Stronger Failure Comments
Domain Controller No Yes No Yes It is better to track changes to Active Directory objects through the Audit Directory Service Changes subcategory. However, Audit Directory Service Changes doesn’t give you information about failed access attempts, so we recommend Failure auditing in this subcategory to track failed access attempts to Active Directory objects.
For recommendations for using and analyzing the collected information, see the Security Monitoring Recommendations sections. Also, develop an Active Directory auditing policy (SACL design for specific classes, operation types which need to be monitored for specific Organizational Units, and so on) so you can audit only the access attempts that are made to specific important objects.
Member Server No No No No This subcategory makes sense only on domain controllers.
Workstation No No No No This subcategory makes sense only on domain controllers.

Events List:

  • 4662(S, F): An operation was performed on an object.

  • 4661(S, F): A handle to an object was requested.