OU Change Auditing

Organizational units (OUs) are containers that administrators use to group accounts together so they can apply group policies, assign permissions, and delegate control collectively. These divisions may mirror the structure of an organization based on geographical boundaries, professional hierarchies, or functional blocks.

Being the most granular administrative unit, OUs allow you to deploy Group Policy settings to the object of your choice and delegate administrative tasks from a single point.

Changes made to OUs should be monitored closely since any slight, unintended tweak could result in drastic consequences. Some instances in which changes made to OUs could end in trouble include when:

• An organization sprawls across cities and branches out into various departments, leading to rampant OU creation.
• OUs are moved or deleted, altering the Group Policy settings applied to the accounts within these OUs.
• OUs are used to pass out authoritative handles and delegate administrative tasks, requiring close inspection of permission changes and elevated rights.

ADAudit Plus reports on OU history, including the following modifications to OUs:

• Recently created OUs
• Recently deleted OUs
• Recently moved OUs
• Recently modified OUs
• Extended attribute changes
• Recently undeleted OUs
• OU history

Recently created OUs:

This report provides information on all the OUs created across your domain, so you can keep an eye on any unwanted additions. This report can be generated for a selected time frame and for specific OUs created by a particular user. It includes information such as:

• Name of the newly created OU
• Who created it
• Where the new OU was created
• When it was created
• Parent object name

Recently deleted OUs:

Although it’s best to keep your domain free of unwanted OUs, wiping out the wrong OU is a nightmare that you don't want to face. You need to know when an OU has been deleted, so you can make sure it's not something to worry about.

This report identifies all the OUs that were deleted in your domain, with details like:

• Name of the deleted OU
• When the deletion occurred
• Who deleted the OU
• Location of the deleted OU

Recently moved OUs:

Rearrangement of institutional architecture is understandable if your organization is growing. However, you still should double-check OU movement and confirm that these changes aren’t unwelcome. Moving an OU from one location to another affects the GPO that’s applied to that OU, modifies object access for the users and groups inside the OU, and changes privileges and permissions.

The Recently Moved OUs report includes:

• The name of the OU that was moved
• The old and new location of the OU
• Who performed the change
• When the OU was moved
• Which machine the change occurred on

Recently modified OUs:

This report lists all the changes made to the OU's attributes. This includes the access control list (ACL) and other basic properties like name, description, and object class. The right mix of information can paint a better picture for investigation in case you need to find the root cause of an issue related to permission changes. The information provided in this report includes:

• The name of the modified OU
• Who modified it
• When it was modified
• What attribute was modified
• Details about the type of change (e.g. OU added or removed)
• Where the modification was made

Extended attribute changes:

If you need more detailed information on any recently modified OUs that caught your attention, this report offers details on the old and new values of the attributes that were changed.

Recently undeleted OUs:

Active Directory lets users restore deleted objects. The Recently Undeleted OUs report documents all the OUs that were recovered this way, along with their new name, location, and the name of the individual who made the restoration.

OU history:

View the entire background of events specific to one or more OUs of interest in the OU History report. This report summarizes all the changes made to that particular OU from the time of creation, including comprehensive information on who did what change and when.

Aside from the intuitive reports on various activities performed on OUs, ADAudit Plus is also armed with alerts that notify you if any worrisome change occurs in your domain’s OUs. These alerts can be sent straight to your inbox or phone to grab your attention in the nick of time.