ADLDS Auditing for group membership changes

  • 269 Views
  • Last Post 11 October 2016
BrianB posted this 04 October 2016

All,   I have been racking my brain trying to figure out how to audit AD LDS group membership changes and LDAP queries to no avail. I am asking for your help or nudge in the right direction.               Is there a way to audit group membership in AD LDS?   I would like to audit specific groups/roles that I created and ACL’ed in ADLDS that grants members the ability to view confidential attributes. All I want to do is Audit the membership change of the group and have SCOM alert my team via email and possibly opening an paging event to the On-call staff member. This is part of an overall strategy to secure the service and privileged accounts/groups.   I have been using the article on the Ask the Directory Services Team blog “One stop Audit shop for ADAM and ADLDS”. In the article it states that the only auditing that can be enabled is Directory Service Access and Account Logon Events. So, I enabled those via GPO and then went to work on Auditpol command line tool to set up the subcategories that were added in 2008 R2. I have enabled Success and Failure for all available subcategories. I then used LDP.exe to create a SACL on one specific group to AUDIT everything and Success / Failure.   I modified the group membership and still nothing. I only ask because in the same article, the author makes a comment that she can audit password changes and resets by enabling the SACL for that. It stands to reason then – at least in my mind – that I should also be able to audit changes in group membership.   The only other way I can figure to have the monitoring I want is to use an AD security group and add it to the Foreign Security Principals in AD LDS so that I can add the AD group to the local AD LDS group that I granted permission to the confidential attributes for. I can then enable all monitoring that I want in AD for that security group. It just seems a little convoluted but may work.

  Please offer you Opinions??? Suggestions??? Corrections???   Thanks in Advance.     Brian Britt        

Order By: Standard | Newest | Votes
Tony posted this 11 October 2016

Hi Brian




How did your PoC go?




Tony











show

BrianB posted this 04 October 2016

Tony,

 

Thanks for replying. The article that I am referencing in the post states that ADLDS auditing can only make use of the Directory Service Access and Account Logon

Events. I enabled those in the GPO and then used auditpol to enable the subcategories. I have tried to enable all subcategories via GPO and then updated GP. I ran auditpol /get /category* to view the settings on all categories and they were unchanged even

after update GP on the machine. Once I ran the auditpol command on the server, they seem to apply the settings.



 

Its very likely that I cannot get anything to show in the available categories about group membership changes or administration. I am just wondering how the author

is able to audit password updates and resets given the available categories for ADLDS.



 

The machine is up to date on all patches. Unless there is a hotfix for 2012 R2 ADLDS, I am unaware of any other patches that need to be applied.



 

I am going to test the scenario whereby I import a group from AD to the ForeignSecurityPrincipals. I can then add to apply permissions directly on that group

– I think. I can then audit and alert on the AD group where full auditing is available. POC in the works.

 

Brian Britt.



 

show

TonyFE posted this 04 October 2016

Hi Brian




You shouldn't need to break out Auditpol.  The subcategories should be visible within the GPO (assuming it is later than 2008).  You can enable the use of subcategories using

Computer Configuration->Policies->Windows Settings->Security Settings->Local Policies->Security Options->Audit: Force audit policy subcategory settings. 






More info here:

http://www.open-a-socket.com/index.php/2014/07/14/how-to-enable-active-directory-auditing/

























How to enable Active Directory auditing - Open a Socket



www.open-a-socket.com



Despite Active Directory having been around for more than 10 years, I still find new implementations proceeding without directory service access auditing enabled.







Having said that, I can't see anything obvious in your post below that would indicate a problem.  The only thing I can think is that there is a bug with the RTM version of 2012 R2 that prevented directory service changes from being audited.  Assuming your

machine is patched you should be good.




Tony











show

Close