Upcoming Events:
Free Global Active Directory Seminar (Barcelona) -> May 16th
Free Global Active Directory Seminar (Lisbon) -> May 17th
Free Global Active Directory Seminar (Madrid) -> May 18th

Active Directory SACL reporting

ManageEngine has stressed the importance of monitoring and alerting on Active Directory changes for years. With this level of monitoring and alerting, you can see and be notified of any key change in Active Directory with an email! That is powerful.

To monitor and alert on Active Directory changes, you need to establish the SACL (security access control list) on Active Directory objects. Ideally, you will configure the SACL at the domain level, which will then be inherited down through the Active Directory structure. Follow this link for details on exactly how to configure the SACL.

Once you’ve configured, you need to verify that the SACL is correct, to be sure you don’t miss any changes. But, how do you do this without a lot of manual effort and time? The answer is quite simple. For example, if your domain name is adsolutions.demo, you’ll run:

Dsacls dc=adsolutions,dc=demo /A

Run this from a command prompt on a domain controller and it will display the SACL and the DACL (discretionary access control list), along with ownership. Figure 1 gives you a simple output.

sacl figure 1

Figure 1. SACL output for the domain.

Of course, you can also do this for organizational units, groups, and even the schema of Active Directory. Don’t let one more day go by without ensuring your Active Directory is secure and all changes are being tracked!

The following two tabs change content below.

Derek Melber

Derek Melber is the Technical Evangelist for the ADSolutions team at ManageEngine. As a Directory Services MVP, he is highly highly sought after the world over for his knowledge, insight, and keen understanding of the Windows product line, especially Active Directory. Derek has helped Active Directory administrators, auditors, and security professionals around the world understand the finer points of Active Directory, Group Policy, Group Policy Preferences and Security. He writes for, speaks to, and educates thousands of IT professionals around the world, every year through his blogs, books, seminars, webinars, etc.

Leave a reply