Skip to content

How to Audit Organizational Units (OUs) Changes in Active Directory?

To audit Organizational Unit (OU) changes in Active Directory, you can enable auditing for the OU objects and monitor the relevant events in the Security event log of your domain controllers. Here are the steps to do this:

  1. Enable auditing for the OU objects. To do this, you need to modify the audit policy of your domain controllers using the Group Policy Management Console (GPMC). Specifically, you need to enable the “Audit directory service changes” policy setting and configure the auditing options for the “Organizational Unit” object class. Here are the steps:
    • Open the GPMC on a domain controller or a computer with the Remote Server Administration Tools (RSAT) installed.
    • Create or edit a Group Policy Object (GPO) that applies to your domain controllers.
    • Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Directory Service Changes.
    • Double-click on the “Audit directory service changes” policy setting and enable it.
    • Click on the Add button to add an auditing entry for the “Organizational Unit” object class.
    • Select the “Success” and “Failure” options for the following auditing events:
      • Create Organizational Unit
      • Delete Organizational Unit
      • Modify Organizational Unit
  2. Wait for the audit policy to propagate to your domain controllers. This may take some time depending on your environment and replication settings.
  3. Monitor the relevant events in the Security event log of your domain controllers. To do this, follow these steps:
    • Open Event Viewer on a domain controller.
    • Navigate to Windows Logs > Security.
    • Filter the Security log to show only the relevant audit events. To do this, click on the Filter Current Log button in the Actions pane, and then select the following options:
      • Event sources: Microsoft Windows security auditing.
      • Event IDs: 5136 (Create), 5141 (Delete), and 5137 (Modify).
      • Keywords: Audit Success and Audit Failure.
      • User account: Enter the name of the user or group whose OU changes you want to audit.
    • Click on the OK button to apply the filter.
    • Review the list of audit events to identify any changes made to OUs.
  4. Analyze the audit events to determine the details of the changes made to OUs, including the date and time, the user who made the changes, and the type of change (create, delete, or modify). You can use PowerShell or other tools to extract and analyze the relevant data from the Security log.

By auditing OU changes in Active Directory, you can track who made changes to OUs, when the changes were made, and what changes were made. This can help you to identify unauthorized changes, detect potential security threats, and maintain the integrity of your Active Directory environment.