ManageEngine has stressed the importance of monitoring and alerting on Active Directory changes for years. With this level of monitoring and alerting, you can see and be notified of any key change in Active Directory with an email! That is powerful.
To monitor and alert on Active Directory changes, you need to establish the SACL (security access control list) on Active Directory objects. Ideally, you will configure the SACL at the domain level, which will then be inherited down through the Active Directory structure. Follow this link for details on exactly how to configure the SACL.
Once you’ve configured, you need to verify that the SACL is correct, to be sure you don’t miss any changes. But, how do you do this without a lot of manual effort and time? The answer is quite simple. For example, if your domain name is adsolutions.demo, you’ll run:
Dsacls dc=adsolutions,dc=demo /A
Run this from a command prompt on a domain controller and it will display the SACL and the DACL (discretionary access control list), along with ownership. Figure 1 gives you a simple output.
Figure 1. SACL output for the domain.
Of course, you can also do this for organizational units, groups, and even the schema of Active Directory. Don’t let one more day go by without ensuring your Active Directory is secure and all changes are being tracked!
Latest posts by Derek Melber (see all)
- Remove accidental spaces while creating user accounts - March 10, 2017
- Assign the manager attribute automatically when group membership changes - March 2, 2017
- Three neglected password policy tips that increase security - December 29, 2016