![]() ![]() ![]() |
For reports such as,
To configure SACL, you must be a member of the "Domain Admins" group or the Enterprise Admins group in Active Directory, or you must have been delegated the appropriate authority.
In this page we will discuss how to configure SACL's for AD objects:
Open "Active Directory Users and Computers".
(Click "Start" -> Click "Control Panel" -> double-click "Administrative Tools" and then -> double-click "Active Directory Users and Computers ")
Ensure that View -> "Advanced Features" are selected from the drop down. This will display the Advanced Security settings for selected objects in the Active Directory Users and Computers.
In the console tree, right-click the "domain"
Click "Properties", and then click the "Security" tab.
Click "Advanced" to open the Window to enter "Advanced Security Settings for the Domain"
Click on the "Auditing Tab" and Click "Add" to add new security principal you want to apply the security policy (In our case it is "Everyone") and click on OK
This opens the window to select "Auditing Entry for the Domain"
Configuring SACL for groupPolicyContainer Objects
Auditing Entry for |
Access |
Apply onto |
|
Windows Server 2003 |
Windows Server 2008 and above |
||
|
|
This object and all child objects |
This object and all descendant objects |
|
Organizational Unit objects |
Descendant Organizational Unit objects |
|
|
|
This object and all child objects |
This object and all descendant objects |
|
groupPolicyContainer objects |
Descendant groupPolicyContainer objects |
|
|
|
User objects |
Descendant User objects |
|
|
Group objects |
Descendant Group objects |
|
|
Computer objects |
Descendant Computer objects |
|
|
Contact objects |
Descendant Contact objects |
1. Auditing entries for all
Containers
Steps to configure SACL- Containers
Open Run Prompt (Windows+R) and type adsiedit.msc and press Enter.
Right Click on ADSI Edit and select Connect to..
Under Connection Point -> Under Select a Well Known Naming Context -> Select 'Default Naming Context'.
Click on 'Default naming context'.
Right Click the 'Domain's distinguished name' and Select Properties -> Security.
Click on Advanced and select the Auditing Tab.
Follow the below steps.
Auditing Entry |
Access |
Apply onto |
|
Windows Server 2003 |
Windows Server 2008 and above |
||
Container |
|
Container objects
|
Descendant Container objects |
2. Auditing entries for all
Password Setting objects
Steps to configure SACL- Password Setting objects
Open Run Prompt (Windows+R) and type adsiedit.msc and press Enter.
Right Click on ADSI Edit and select Connect to..
Under Connection Point -> Under Select a Well Known Naming Context -> Select 'Default Naming Context'.
Click on 'Default naming context'.
Expand the Domain
Right click on the "Password Settings Container" and click on "Properties"
Select "Auditing" tab and click "Add"
Object to set SACL on |
CN=Password Settings Container, CN=System,<Default Naming Context> |
Auditing entries to be applied on |
Everyone |
Type |
Successful |
Auditing Entry for |
Access |
Apply onto |
|
Windows Server 2003 |
Windows Server 2008 and above |
||
|
|
Not Applicable |
This object and all descendant objects |
|
Not Applicable |
Descendant msDS-PasswordSettings objects |
Steps to configure SACL- Configuration/Schema
Open Run Prompt (Windows+R) and type adsiedit.msc and press Enter.
Under Connection Point -> Under Select a Well Known Naming Context > Select 'Configuration' / 'Schema' (For Schema SACL).
Double Click Configuration / Schema on the Left Pane.
Right Click the Configuration Context / Schema Context and Select Properties > Security.
Click on Advanced and Select the Auditing Tab.
Follow the below steps.
3. Auditing Entries for AD
Configuration objects
Object to set SACL on |
Configuration Context |
Auditing entries to be applied on |
Everyone |
Type |
Successful |
Auditing Entry for |
Access |
Apply onto |
|
Windows Server 2003 |
Windows Server 2008 and above |
||
Configuration |
|
This object and all child objects |
This object and all descendant objects |
4. Auditing Entries for AD Schema
objects
Object to set SACL on |
Schema Context |
Auditing entries to be applied on |
Everyone |
Type |
Successful |
Auditing Entry for |
Access |
Apply onto |
|
Windows Server 2003 |
Windows Server 2008 and above |
||
Schema |
|
This object and all child objects |
This object and all descendant objects |
5. Auditing Entries for AD DNS objects
Steps to configure SACL- DNS Objects
Right Click on ADSI Edit and select Connect to..
Under Connection Point -> Under Select or type a Distinguished Name or Naming Context:
Type DC=adap, DC=internal,DC=com as the Distinguished Name. (This partition is generally loaded in Adsiedit by default)
Type DC=DomainDNSZones,DC=adap,DC=internal,DC=com as the Distinguished Name.
Type DC=ForestDNSZones,DC=adap,DC=internal,DC=com as the Distinguished Name.
Double Click Default Naming Context on the Left Pane.
Right Click the MicrosoftDNS Container and Select Properties > Security.
Click on Advanced and Select the Auditing Tab.
Auditing Entries for |
Access |
Apply onto |
|
Windows Server 2003 |
Windows Server 2008 and above |
||
DNS Zones |
|
This object and all child objects |
This object and all descendant objects |
|
DNS Zone objects |
Descendant DNS Zone objects |
|
DNS Nodes |
|
This object and all child objects |
Descendant DNS Zone objects |
|
DNS Node objects |
Descendant DNS Node objects |
Note: Repeat steps 4,5,6 and 7 for the remaining 2 default naming contexts.
![]() ![]() ![]() |