All, I have been racking my brain trying to figure out how to audit AD LDS group membership changes and LDAP queries to no avail. I am asking for your help or nudge in the right direction. Is there a way to audit group membership in AD LDS? I would like to audit specific groups/roles that I created and ACL’ed in ADLDS that grants members the ability to view confidential attributes. All I want to do is Audit the membership change of the group and have SCOM alert my team via email and possibly opening an paging event to the On-call staff member. This is part of an overall strategy to secure the service and privileged accounts/groups. I have been using the article on the Ask the Directory Services Team blog “One stop Audit shop for ADAM and ADLDS”. In the article it states that the only auditing that can be enabled is Directory Service Access and Account Logon Events. So, I enabled those via GPO and then went to work on Auditpol command line tool to set up the subcategories that were added in 2008 R2. I have enabled Success and Failure for all available subcategories. I then used LDP.exe to create a SACL on one specific group to AUDIT everything and Success / Failure. I modified the group membership and still nothing. I only ask because in the same article, the author makes a comment that she can audit password changes and resets by enabling the SACL for that. It stands to reason then – at least in my mind – that I should also be able to audit changes in group membership. The only other way I can figure to have the monitoring I want is to use an AD security group and add it to the Foreign Security Principals in AD LDS so that I can add the AD group to the local AD LDS group that I granted permission to the confidential attributes for. I can then enable all monitoring that I want in AD for that security group. It just seems a little convoluted but may work.
Please offer you Opinions??? Suggestions??? Corrections??? Thanks in Advance. Brian Britt