Monitoring Active Directory Schema Changes

  • Article

As a follow-on to my last post, I want to relate how to monitor for Active Directory schema changes.

First you need to put SACLs on the schema. Remember to replace any existing SACLs, disable propagaion of the SACL from the parent, and force propagation to the subtree.

  • Using ADSI Edit, create an auditing ACE in the SACL as follows:
    • Object to set SACL on: Schema (ex: CN=Schema,CN=Configuration,DC=yourdomain,DC=com)
      • Principal: Everyone
        • Type: Success
        • Accesses: Modify Permissions, Modify Owner, Create All Child objects, Delete, Delete All Child Objects, Delete Subtree
        • Scope: This object only
      • Principal: Everyone
        • Type: Success
        • Accesses: Write All Properties
        • Scope: This container and all child objects
      • Principal: Everyone
        • Type: Success
        • Accesses: Change Schema Master
        • Scope: This object only
      • Principal: Everyone
        • Type: Success
        • Accesses: Reanimate Tombstones
        • Scope: This object only
      • Principal: Administrators
        • Type: Success
        • Accesses: All Extended Rights
        • Scope: This object only
      • Principal: Domain Users
        • Type: Success
        • Accesses: All Extended Rights
        • Scope: This object only

Next, you'll need to enable DS Access auditing in the Default Domain Controllers Policy.

To find schema change events in the log, look for security event 565 or 566, with an object name that contains "CN=Schema".

It's that easy!

The definitive reference for how to set up auditing in Active Directory, written by my friend & co-worker Arun, is in the following white papers:

Windows 2000 paper: https://www.microsoft.com/windows2000/technologies/directory/AD/AD_SecurityPt1.asp

Windows 2003 paper: https://www.microsoft.com/windowsserver2003/techinfo/overview/adsecurity.mspx

The SACLs described in the 2003 white paper are the defaults for new AD installations (where your AD started on a Windows Server 2003 machine).  They are much less noisy than the Windows 2000 SACLs, and are specifically targeted at recording Active Directory configuration changes.

Eric