Audit Directory Service Access
Audit Directory Service Access determines whether the operating system generates audit events when an Active Directory Domain Services (AD DS) object is accessed.
Event volume: High on servers running AD DS role services.
This subcategory allows you to audit when an Active Directory Domain Services (AD DS) object is accessed. It also generates Failure events if access was not granted.
|Computer Type||General Success||General Failure||Stronger Success||Stronger Failure||Comments|
|Domain Controller||No||Yes||No||Yes||It is better to track changes to Active Directory objects through the Audit Directory Service Changes subcategory. However, Audit Directory Service Changes doesn’t give you information about failed access attempts, so we recommend Failure auditing in this subcategory to track failed access attempts to Active Directory objects.
For recommendations for using and analyzing the collected information, see the Security Monitoring Recommendations sections. Also, develop an Active Directory auditing policy (SACL design for specific classes, operation types which need to be monitored for specific Organizational Units, and so on) so you can audit only the access attempts that are made to specific important objects.
|Member Server||No||No||No||No||This subcategory makes sense only on domain controllers.|
|Workstation||No||No||No||No||This subcategory makes sense only on domain controllers.|