How to track changes to object attributes

Is tracking every change in Active Directory really necessary? It isbecause any of them could potentially pose a security threat. Tracking all these changes is the only way to detect any troublesome modifications in the network. Attribute change is one such example - it could be something as harmless as one user changing their address or it could be a malicious user changing the password settings for another user account. However, auditing changes to attributes using native AD tools is an impossible task as the administrator will have to go through thousands of logs to find the ones that indicate a potential security risk.

ADAudit Plus, a comprehensive AD auditing solution, on the other hand, offers over 200+ pre-packaged auditing reports on Active Directory objects, including the changes in their attributes. It provides information on the user who modified the attribute and includes the original and modified attributes in adjacent columns. This makes life much easier for administrators who simply have to periodically generate this report to keep an eye on the attribute changes made in AD.

Here is an article comparing the process of auditing attribute changes using native AD tools and ADAudit Plus. Enabling Audit Policy is the first step in both the methods. Here is how to enable it.

Download for FREE Free, fully functional 30-day trial
  • With Native AD Auditing

  • With ADAudit Plus

  • ADAudit Plus generates reports by picking up and processing information from the Event Viewer. Therefore Audit Policy has to be first configured on the server for ADAudit Plus to create audit reports.

  • Open ADAudit Plus console and click on the Reports tab. Select User Management and navigate to Extended Attribute Changes report. This is a comprehensive report that provides all the necessary information in one place. It shows Here is a sample report:

  • Enable Audit Policy
  • Open Server Manager on your Windows server.

  • Under the Manage tab, click on Group Policy Management to open the Group Policy Management Console.

  • Navigate to Forest > Domain > Your Domain > Domain Controllers.

  • You can choose to either edit an existing group policy object or create a new one.

  • In the Group Policy Editor, navigate to Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration.

  • Expand the node and click on DS Access and then configure Audit DirectoService Changes. Enable it for both Success and Failure.

  • Using native AD tools
  • Use Windows Event Viewer to track the attribute change

  • Windows Event Viewer records changes to any object in the directory that has been set up for auditing. Each event is associated with a unique event ID.

  • To view or access the event logs, open Event Viewer and click on Windows Logs tab on the left pane. Then select the Security tab to view the relevant event logs in the center pane. Look for event ID 5136 which is triggered when a directory object is modified.

  • Click on the relevant event to get more details about it. The details would include the both the original and the modified attribute value of the directory object. Administrators will have to manually check every event one by one to find all the modified object attributes in the directory.

Native auditing becoming a little too much?

Simplify Active Directory auditing and reporting with ADAudit Plus.

Get Your Free Trial Fully functional 30-day trial

Related How-tos

Request Support


One of our solution experts will get in touch with you shortly.

    Please enter business email address
  • By clicking 'Send Request', you agree to processing of personal data according to the Privacy Policy.

© 2019 Zoho Corp. All rights reserved.