Advanced Windows PowerShell Scripting Video Training

Advanced Windows PowerShell Scripting Video Training
Advanced Windows PowerShell Scripting Video Training

Tuesday, January 11, 2011

Set Directory Access Changes through Group Policy

 

Directory Access Changes allows your servers to record (when possible) both the old and the new values of an object after a change.  This means that if a value was incorrectly changed, the old value may be record in your audit log.  To configure this, you would have to log into each server and type:

Auditpol /set /subcategory:”Directory Service Changes” /Success:Enable

For one or two servers, this is OK.  For hundreds, this is a problem.  You can utilize Group Policy to configure this on each of your servers/clients.

Either create a new GPO, or use an existing one that is scoped to your requirements.

Expand Computer Configuration \ Policies \ Windows Settings \ Advanced Audit Policy Configuration \ Audit Policies \ DS Access

Double click Audit Directory Service Changes.

Check Configure the following audit events.

Check Success and/or Failure

Click OK.

image

Once this policy is applied and your clients/servers refresh their Group Policies, you can test this GPO.

On a client/server that had this policy applied, click Start.  Type cmd and press Enter.

Type auditpol /get /subcategory:”Directory Service Changes” and press Enter.

You should see the configuration that you set.

image

No comments: