Another important change to Active Directory that can be enabled in a Windows Server 2008 or Windows Server 2008 R2 functional domain is the concept of auditing changes made to Active Directory objects. Previously, it was difficult to tell when changes were made, and AD-specific auditing logs were not available. Windows Server 2008 RTM/R2 allows administrators to be able to determine when AD objects were modified, moved, or deleted.
To enable AD object auditing on a Windows Server 2008 RTM/R2 domain controller, perform the following steps:
1. From a member server or domain controller, click Start, All Programs, Administrative Tools, Group Policy Management.
2. Navigate to
3. Click Edit.
4. In the GPO window, navigate to Computer Configuration, Policies, Windows Settings, Security Settings, Local Policies, Audit Policy.
5. Under the Audit Policy setting, right-click on Audit Directory Service Access, and click Properties.
6. Check the Define These Policy Settings check box, and then check the Success and Failure check boxes, as shown in Figure 4.15.
7. Click OK to save the settings.
Global AD DS auditing on all DCs will subsequently be turned on. Audit event IDs will be displayed as Event ID 5136, 5137, 5138, 5139, or 5141, depending on if the operation is a modify, create, undelete, move, or delete respectively.