How to track organizational unit (OU) changes in AD

Organizational units (OU) make it easy for you to manage security policies for a set of AD objects. As an IT admin you'll be able to manage which OUs have what kind of permissions.This is why any malicious modifications to an OU can topple your AD security infrastructure. Here's how you can detect changes to your OU in native Active Directory.

Furthermore you can also see how ADAudit Plus can simplify the process of tracking OU changes.

Download for FREE Free, fully functional 30-day trial
  • With Native AD Auditing

  • With ADAudit Plus

  • ADAudit Plus simplifies OU management by offering you pre-configured OU management reports:

    1. Recently Created OUs

    2. Recently Deleted OUs

    3. Recently Modified OUs

    4. Recently Moved OUs

    5. OU History

    6. Extended Attribute Changes

  • Here's how you can use ADAudit Plus to retrieve OU management report in few easy steps.

    1. Select the Reports Tab and navigate to OU Management. Choose Report.

    2. Select the Domain.

    3. Customize the Period to desired time range. You can also define a custom period an save for quick reference.

    4. A detailed audit information report is generated for the selected period.

    5. Clicking on an event in the bar graph, filters the report view highlighting only the selected event.

    6. Advanced filter attributes help you locate the specific event that you're looking for.

  • ADAudit Plus gives you a range of filter attributes: Who Created, Modified Time, Message, Permission Changes, Old Value, New value, Time Deleted, Remarks, Who changed, Modified Attributes, Domain Controller, Creation Time, New OU Name, Who deleted, OU Name, New OU Distinguished Name.

  • You can apply the above filters in the reports to filter results accordingly.

Tracking OU audit changes in native AD

  • Step 1: Set up OU Audit
  • Launch the Server Manager in your Windows Server.

  • Under 'Tools' navigate to the 'Group Policy Management Console' (GPMC).

  • On the left pane right click the 'Domain Controllers' option. You can choose the 'create a new GPO and link it here option' or 'Link an existing GPO' option accordingly.

  • Right click the desired GPO and select 'Edit'. This opens up the 'Group Policy Management Editor'. Expand the node and select the 'Computer Configuration'.

  • You can then select 'Policies' and navigate to 'Windows Settings'. Under 'Windows Settings' select 'Security Settings' and then navigate to 'Advanced Audit Policy Configuration'.

  • In the 'Advanced Audit Policy Configuration' option select 'Audit Policies' and expand the node. Then select 'DS Access' and double click the 'Audit Directory Service Access' option.

  • Configure this policy for both 'Success' and 'Failure'.

  • Also, configure 'Success and 'Failure' events for 'Audit Directory Service Changes'.

  • Exit the Group Policy Management Editor and return to the GPMC.

  • Go to the 'Domain Controllers' node and select the newly modified GPO. Under the 'Scope' tab on the right pane, you will find the 'Security Filtering' section. Select 'Add'.

  • This opens up the 'Select User, Computer or Group' window. Type 'everyone' in this window to apply this GPO to all objects.

  • You can now return to the GPMC. The group policy also needs to be applied through out the forest. You can do this by, opening up 'Run' on your server and executing gpupdate /force. You should receive a notification saying the policy update was successful.

  • Step 2: Activate AD Auditing in ADSI Edit.
  • From your 'Server Manager' go to 'Tools' and select 'ADSI Edit'.

  • Right click 'ADSI Edit' node from the left pane and select 'Connect to' option. This pulls up the 'Connection Settings' window.

  • Select the 'Default Naming Context' option from the 'Select a well-known Naming Context' drop down list.

  • Click 'Okay' and return to the ADSI Edit window. Expand 'Default Naming Context' and select the associated 'DC' subnode. Right click this subnode and click 'Properties'.

  • In the 'Properties' window, go to the 'Security' tab and select 'Advanced'. After that select 'Auditing' tab and click 'Add'.

  • Click on 'Select a principle'. This will bring up a 'Select User, Computer or Group' Window. Type 'Everyone' in the textbox and verify it with 'Check Names'.

  • The principle in the 'Auditing Entry' window now shows 'Everyone'. In the 'Type' drop-down select 'All' to audit for both 'success' and 'failure' events.

  • In the 'Select' drop-down choose 'This object and all descendant object's. This allows the auditing of the OU's descendant objects. Select 'Full Control' in the 'Permissions' section.

  • Click 'Apply' and 'Okay' and close the window.

  • Step 3: Use Event Viewer to track events
  • In the 'Event Viewer' you can look for the following Event IDs under 'Security Logs'

  • Event ID 5141: A directory service object (organizational unit) was deleted.

  • Event ID 5137: A directory service object (organizational unit) was created.

  • Event ID 5139: A directory service object (organizational unit) was moved.

  • Event ID 5136: A directory service object (organizational unit) was modified.

  • Here's how you can view an event where an OU that was deleted.

  • In this window you can view who made changes to the OU and what changes were made, along with the timestamp of the event.

Does native auditing become a little too much?

Simplify file server auditing and reporting with ADAudit Plus.

Get Your Free Trial Fully functional 30-day trial

Related How-tos

Request Support


One of our solution experts will get in touch with you shortly.

    Please enter business email address
  • By clicking 'Send Request', you agree to processing of personal data according to the Privacy Policy.

© 2019 Zoho Corp. All rights reserved.