Configuring SACL for AD Objects

---

For reports such as,

1. GPO/OU
2. Extended Attributes changes and
   
3. Permission changes
   

In addition to the settings in "Default Domain Controllers Policy", SACL's must be configured for the respective AD objects. This document will guide you through the steps to configure SACL.

To configure SACL, you must be a member of the "Domain Admins" group or the Enterprise Admins group in Active Directory, or you must have been delegated the appropriate authority.  

In this page we will discuss how to configure SACL's for AD objects:

1. Use "Active Directory Users and Computers"(dsa.msc) to configure.
   

1. OU
   

2. GPO

3. Users

4. Groups

5. Computers

6. Contacts

2. Use "ADSIEDIT"(adsiedit.msc) to configure.
   

1. Containers

2. Password Setting Objects

3. Configuration

4. Schema

5. DNS Objects

---

1. Steps to configure SACL- OU/GPO/Users/Groups/Computers/Contacts

1. Open "Active Directory Users and Computers".  

1. (Click "Start" -> Click "Control Panel" -> double-click "Administrative Tools"   and then -> double-click "Active Directory Users and Computers ")

2. Ensure that View -> "Advanced Features" are selected from the drop down. This will display the Advanced Security settings for selected objects in the Active Directory Users and Computers.

3. In the console tree, right-click the "domain"

4. Click "Properties", and then click the "Security" tab.

5. Click "Advanced" to open the Window to enter "Advanced Security Settings for the Domain"

6. Click on the "Auditing Tab" and Click "Add" to add new security principal you want to apply the security policy (In our case it is "Everyone")   and click on OK

7. This opens the window to select "Auditing Entry for the Domain"

Configuring SACL for groupPolicyContainer Objects

top

As explained above for "groupPolicyContainer" objects, please follow the same for rest of the objects.

Table that details the "Access" and "Apply onto" for the various Active Directory Objects.

Auditing Entry for	Access	Apply onto
		Windows Server 2003	Windows Server 2008/Windows Server 2012
1. OU	Create Organizational Unit objects Delete Organizational Unit objects	This object and all child objects	This object and all descendant objects
	Write All Properties Delete Modify Permissions	Organizational Unit objects	Descendant Organizational Unit objects
2. GPO	Create groupPolicyContainer Objects Delete groupPolicyContainer Objects	This object and all child objects	This object and all descendant objects
	Write All Properties Delete Modify Permissions	groupPolicyContainer objects	Descendant groupPolicyContainer  objects
3. User	Write All Properties Delete Modify Permissions All Extended Rights	User objects	Descendant User objects
4. Group	Write All Properties Delete Modify Permissions All Extended Rights	Group objects	Descendant Group objects
5. Computer	Write All Properties Delete Modify Permissions All Extended Rights	Computer objects	Descendant Computer objects
6. Contact	Write All Properties Delete Modify Permissions	Contact objects	Descendant Contact objects

 

top

Auditing Entry	Access	Apply onto
		Windows Server 2003	Windows Server 2008/Windows Server 2012
Container	Write All Properties Delete Modify Permissions	Container objects	Descendant Container objects

2. Auditing entries for all Password Setting objects

 Steps to configure SACL- Password Setting objects

1. Open Run Prompt (Windows+R) and type adsiedit.msc and press Enter.

2. Right Click on ADSI Edit and select Connect to..

3. Under Connection Point -> Under Select a Well Known Naming Context -> Select 'Default Naming Context'.

4. Click on 'Default naming context'.

5. Expand the Domain

6. Expand the "System" container

7. Right click on the "Password Settings Container" and click on "Properties"

8. Goto 'Security' tab and click on "Advanced"

9. Select "Auditing" tab and click "Add"

Object to set SACL on	CN=Password Settings Container, CN=System,<Default Naming Context>
Auditing entries to be applied on	Everyone
Type	Successful

Auditing Entry for	Access	Apply onto
		Windows Server 2003	Windows Server 2008/Windows Server 2012
Password Settings Container	Create msDS-PasswordSettings objects Delete msDS-PasswordSetting objects	Not Applicable	This object and all descendant objects
	Write All Properties Delete Modify Permissions	Not Applicable	Descendant msDS-PasswordSettings objects

3. Auditing entries for all Configuration/Schema

  Steps to configure SACL- Configuration/Schema

1. Open Run Prompt (Windows+R) and type adsiedit.msc and press Enter.

2. Right Click on ADSI Edit and select Connect to..

3. Under Connection Point -> Under Select a Well Known Naming Context > Select 'Configuration' / 'Schema' (For Schema SACL).

4. Double Click Configuration / Schema on the Left Pane.

5. Right Click the Configuration Context / Schema Context and Select Properties > Security.

6. Click on Advanced and Select the Auditing Tab.

7. Follow the below steps.

---

3. Auditing Entries for AD Configuration objects

Object to set SACL on	Configuration Context
Auditing entries to be applied on	Everyone
Type	Successful

Auditing Entry for	Access	Apply onto
		Windows Server 2003	Windows Server 2008/Windows Server 2012
Configuration	Create All Child objects Write All Properties Delete All child objects Delete Modify Permissions All Extended Rights	This object and all child objects	This object and all descendant objects

4. Auditing Entries for AD Schema objects

Object to set SACL on	Schema Context
Auditing entries to be applied on	Everyone
Type	Successful

Auditing Entry for	Access	Apply onto
		Windows Server 2003	Windows Server 2008/Windows Server 2012
Schema	Create All Child objects Write All Properties Delete All child objects Delete Modify Permissions All Extended Rights	This object and all child objects	This object and all descendant objects

---

5. Auditing Entries for AD DNS objects

Steps to configure SACL- DNS Objects

1. Open Run Prompt (Windows+R) and type adsiedit.msc and press Enter.

2. Right Click on ADSI Edit and select Connect to..

3. Under Connection Point -> Under Select or type a Distinguished Name or Naming Context,  depending on your Domain name and the partition where the zone is stored, type the Distinguished Name for the partition and click OK:

1. If the zone is stored in default Domain partition, then type DC=adap, DC=internal,DC=com as the Distinguished Name. (This partition is generally loaded in Adsiedit by default).

2. If the zone is stored in DomainDNSZones partition, then type DC=DomainDNSZones,DC=adap,DC=internal,DC=com as the Distinguished Name.

3. If the zone is stored in ForestDNSZones partition, then type DC=ForestDNSZones,DC=adap,DC=internal,DC=com as the Distinguished Name.

4. Double Click Default Naming Context on the Left Pane.

5. Right Click the MicrosoftDNS Container and Select Properties > Security.

6. Click on Advanced and Select the Auditing Tab.

7. Follow the below steps.
   

Object to set SACL on	*Default Domain partition, DomainDNSZones partition, ForestDNSZones partition
Auditing entries to be applied on	Everyone
Type	Successful

Auditing Entries for	Access	Apply onto
		Windows Server 2003	Windows Server 2008/Windows Server 2012
DNS Zones	Create DNS Zones objects Delete DNS Zones objects	This object and all child objects	This object and all descendant objects
	Write All Properties Delete Modify Permissions	DNS Zone objects	Descendant DNS Zone objects
DNS Nodes	Create DNS Nodes objects Delete DNS Nodes objects	This object and all child objects	This object and all descendant objects
	Write All Properties Delete Modify Permissions	DNS Node objects	Descendant DNS Node objects

 Note: For both DNS Zones and DNS Nodes- the settings have to be applied according to your domain name and the partition where the Zone is stored.
For DNS Zones- auditing has to be enabled for each zone under the DNS container individually.

---

top