Computer Configuration->Policies->Windows Settings->Security Settings->Local Policies->Audit Policy\u00a0<\/p>
-> Enable Audit Directory Access Service<\/p>
Server 2008 or Above<\/strong><\/p> Computer Configuration->Policies->Windows Settings->Security Settings->Local Policies->Security Options->Audit: Force audit policy subcategory settings<\/p> Computer Configuration->Policies->Windows Settings->Security Settings->Advanced Audit Policy Configuration->Audit Policies->DS Access<\/p> \u00a0<\/p> <\/p> Target OU or Whole Domain<\/strong><\/p> Right-click on where you want to enable Auditing and bring up the properties.\u00a0 Under Extensions you will see the Security tab.\u00a0 From there select Advanced and then choose the Auditing tab.\u00a0 If you want to be comprehensive, I would select the Everyone security principal, set Type to Success and Applies to: This object and all descendant objects.\u00a0 For the permissions, again if you want to be comprehensive, set the following:<\/p> Open Event viewer and filter Security log to find event id\u2019s (Windows Server 2003\/2008-2012): <\/strong> Edit the Group Policy that is applying to your domain controllersServer 2003Computer Configuration->Policies->Windows Settings->Security Settings->Local Policies->Audit Policy\u00a0-> Enable Audit Directory Access ServiceServer 2008 or AboveComputer Configuration->Policies->Windows Settings->Security […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[750,2065,2067,2068,1677,2069,2066],"class_list":["post-2704","post","type-post","status-publish","format-standard","hentry","category-research","tag-active-directory","tag-ad-audit","tag-auditing","tag-changes-to-ad","tag-domain-controller","tag-ds-audit","tag-ou"],"aioseo_notices":[],"aioseo_head":"\n\t\t\n\t\n\t\n\t\n\t\n\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t![\"14\"](\"http:\/\/www.open-a-socket.com\/wp-content\/uploads\/2014\/07\/14.jpg\")
<\/p>
– 631, 635, 648, 653, 658, 663\/4727, 4731, 4754 , 4759, 4744, 4749 \u2013 Group created
– 632, 636, 650, 655, 660, 665\/4728, 4732, 4756 , 4761, 4746, 4751 \u2013 Member added to a group
– 633, 637, 651, 656, 661, 666\/4729, 4733, 4757, 4762, 4747, 4752 \u2013 Member removed from a group
– 634, 638, 652, 662, 667, 657\/4730, 4734, 4758, 4748, 4753, 4763 \u2013 Group deleted
– 639, 641, 649, 654, 659, 664\/4735, 4737, 4745, 4750, 4755, 4760 \u2013 Group changed
– 566\/4662 – An operation was performed on an object(OU Changes) (Type: Directory Service Access).<\/p>","protected":false},"excerpt":{"rendered":"