Changes made to Active Directory Audit Logs starting in Windows Server 2008
I apologize for asking a question on a very old operating system:
A client I work with has Windows Server 2008 R2 and Windows Server 2012 Domain controllers. However they're still operating in a Windows Server 2003 Domain and Forest functional level (yes, this is bad, end of life, and unsupported, and a work in progress to convince them to elevate it).
They're trying to retrieve logs regarding a change to an active directory user account. I know that there were a variety of enhancements done to Event logging starting with Windows Server 2008 to record more info about what attributes were modified, etc, and I'm pretty sure the schema needed to be elevated in order for the eventlog to record these other elements and attributes.
The client I'm working with is looking for documentation to this effect, and I'm having a really hard time finding official documentation from Microsoft regarding the enhancements to the eventlog.
Can anyone confirm that this is the case, or point me in the direction of where these changes are recorded by Microsoft?
Для обнаружения изменений учетной записи пользователя в Active Directory необходимо включить политики аудита в объекте групповой политики безопасности контроллера домена по умолчанию. Включите политику аудита «Аудит управления учетными записями пользователей».
Затем вы можете искать такие события, как создание учетной записи пользователя, удаление учетной записи пользователя или изменение учетной записи и т. Д.
Здесь я нашел информативный пост, который позволяет вам поэтапно записывать изменения, сделанные в Active Directory: https://community.spiceworks.com/how_to/129229-how-to-record-changes-made-in-active-directory
Надеюсь, это поможет!