70-640 TK (Auditing question)

Dracula28 · June 2012

On page 374 the 640 TK (Second edition) says,

"As an example, if you want to monitor changes to the membership of a security-sensitive group such as Domain Admins, you can enable the Audit Directory Service Access policy to audit Success events."

But isn't the Audit Account Managment policy already monitoring sucessful changes to membership of all groups, by default? Shouldn't they rather have just said that the Account Management policy does that by default, but to see the previous and current value you need to enable Directory Service Changes policy.

That wording just got me confused on the difference between Account Managment and Directory Service Access policies.

(I understand that the Directory Service Changes policy, which is being talked about on that page, enabled with Auditpol lets you see previous and current values, so thats not in question here.)

Dracula28 · June 2012

Ok, the training kit might do a decent job at explaining the concept of Directory Service Changes, but it should definitely have used another example rather than changes of group membership to explain it. Because if I make a change to group membership, the event created by the Directory Service Acess policy might not show me the exact change that was made, but the event created by Audit Account Managment policy clearly shows me which member I have removed or added, in the Security log.

Now I understand that Directory Service Access policy can audit far more changes than the Account Managment one, because it also audits changes in properties and such, but still in the case of group membership changes, Account Management policy clearly spill the beans.

Dracula28 · June 2012

A question about Advanced Audit Policy, was it introduced in R2/7 or in 2008/Vista?

70-640 TK (Auditing question)

Comments