Configuring SACL for AD Objects


For reports such as,

  1. GPO/OU
  2. Extended Attributes changes and
  3. Permission changes
In addition to the settings in "Default Domain Controllers Policy", SACL's must be configured for the respective AD objects. This document will guide you through the steps to configure SACL.

To configure SACL, you must be a member of the "Domain Admins" group or the Enterprise Admins group in Active Directory, or you must have been delegated the appropriate authority.  

In this page we will discuss how to configure SACL's for AD objects:

    1. Use "Active Directory Users and Computers"(dsa.msc) to configure.

      1. OU

      2. GPO

      3. Users

      4. Groups

      5. Computers

      6. Contacts

    2. Use "ADSIEDIT"(adsiedit.msc) to configure.

      1. Containers

      2. Password Setting Objects

      3. Configuration

      4. Schema

      5. DNS Objects

1. Steps to configure SACL- OU/GPO/Users/Groups/Computers/Contacts

  1. Open "Active Directory Users and Computers".  

    1. (Click "Start" -> Click "Control Panel" -> double-click "Administrative Tools"  and then -> double-click "Active Directory Users and Computers ")

  2. Ensure that View -> "Advanced Features" are selected from the drop down. This will display the Advanced Security settings for selected objects in the Active Directory Users and Computers.

  3. In the console tree, right-click the "domain"

  4. Click "Properties", and then click the "Security" tab.

  5. Click "Advanced" to open the Window to enter "Advanced Security Settings for the Domain"

  6. Click on the "Auditing Tab" and click "Add" to add new security principal to audit the event of a user accessing an object (in our case it is "Everyone")  and click on OK

  7. This opens the window to select "Auditing Entry for the Domain"

Configuring SACL for groupPolicyContainer Objects

top


As explained above for "groupPolicyContainer" objects, please follow the same for rest of the objects.

Table that details the "Access" and "Apply onto" for the various Active Directory Objects.



 Auditing Entry for

Access

Apply onto

Windows Server 2003

Windows Server 2008/Windows Server 2012

1. OU
  • Create Organizational Unit objects
  • Delete Organizational Unit objects

This object and all child objects

This object and all descendant objects
  • Write All Properties
  • Delete
  • Modify Permissions

Organizational Unit objects

Descendant Organizational Unit objects

2. GPO
  • Create groupPolicyContainer Objects
  • Delete groupPolicyContainer Objects

This object and all child objects

This object and all descendant objects
  • Write All Properties
  • Delete
  • Modify Permissions

groupPolicyContainer objects

Descendant groupPolicyContainer  objects

3. User
  • Create User Objects
  • Delete User Objects

This object and all child objects

This object and all descendant objects
  • Write All Properties
  • Delete
  • Modify Permissions
  • All Extended Rights

User objects

Descendant User objects

4. Group
  • Create Group Objects
  • Delete Group Objects

This object and all child objects

This object and all descendant objects
  • Write All Properties
  • Delete
  • Modify Permissions
  • All Extended Rights

Group objects

Descendant Group objects

5. Computer
  • Create Computer Objects
  • Delete Computer Objects

This object and all child objects

This object and all descendant objects
  • Write All Properties
  • Delete
  • Modify Permissions
  • All Extended Rights

Computer objects

Descendant Computer objects

6. Contact

  • Create Contact Objects
  • Delete Contact Objects

This object and all child objects

This object and all descendant objects
  • Write All Properties
  • Delete
  • Modify Permissions
  • All Extended Rights

Contact objects

Descendant Contact objects

 

top


2. Steps to configure SACL- Containers/Password Settings Objects/Configuration/Schema/DNS Objects


1. Auditing entries for all Containers

 Steps to configure SACL- Containers

  1. Open Run Prompt (Windows+R) and type adsiedit.msc and press Enter.

  2. Right Click on ADSI Edit and select Connect to..

  3. Under Connection Point -> Under Select a Well Known Naming Context -> Select 'Default Naming Context'.

  4. Click on 'Default naming context'.

  5. Right Click the 'Domain's distinguished name' and Select Properties -> Security.

  6. Click on Advanced and select the Auditing Tab.

  7. Follow the below steps.

SACL Container Objects

 Auditing Entry

Access

Apply onto

Windows Server 2003

Windows Server 2008/Windows Server 2012

 

 

Container

  • Write All Properties
  • Delete
  • Modify Permissions

Container objects

Descendant Container objects


2. Auditing entries for all Password Setting objects

 Steps to configure SACL- Password Setting objects

  1. Open Run Prompt (Windows+R) and type adsiedit.msc and press Enter.

  2. Right Click on ADSI Edit and select Connect to..

  3. Under Connection Point -> Under Select a Well Known Naming Context -> Select 'Default Naming Context'.

  4. Click on 'Default naming context'.

  5. Expand the Domain

  6. Expand the "System" container

  7. Right click on the "Password Settings Container" and click on "Properties"

  8. Goto 'Security' tab and click on "Advanced"

  9. Select "Auditing" tab and click "Add"


Object to set SACL on

CN=Password Settings Container, CN=System,<Default Naming Context>

Auditing entries to be applied on

Everyone

Type

Successful


 Auditing Entry for

Access

Apply onto

Windows Server 2003

Windows Server 2008/Windows Server 2012

 

 

Password Settings Container
  • Create msDS-PasswordSettings objects
  • Delete msDS-PasswordSetting objects

Not Applicable

This object and all descendant objects
  • Write All Properties
  • Delete
  • Modify Permissions

Not Applicable

Descendant msDS-PasswordSettings objects


3. Auditing entries for all Configuration/Schema

 Steps to configure SACL- Configuration/Schema

  1. Open Run Prompt (Windows+R) and type adsiedit.msc and press Enter.

  2. Right Click on ADSI Edit and select Connect to..

  3. Under Connection Point -> Under Select a Well Known Naming Context > Select 'Configuration' / 'Schema' (For Schema SACL).

  4. Double Click Configuration / Schema on the Left Pane.

  5. Right Click the Configuration Context / Schema Context and Select Properties > Security.

  6. Click on Advanced and Select the Auditing Tab.

  7. Follow the below steps.

3. Auditing Entries for AD Configuration objects

Object to set SACL on

Configuration Context

Auditing entries to be applied on

Everyone

Type

Successful


Auditing Entry for

Access

Apply onto

Windows Server 2003

Windows Server 2008/Windows Server 2012

Configuration

  • Create All Child objects
  • Write All Properties
  • Delete All child objects
  • Delete
  • Modify Permissions
  • All Extended Rights

This object and all child objects

This object and all descendant objects


4. Auditing Entries for AD Schema objects

Object to set SACL on

Schema Context

Auditing entries to be applied on

Everyone

Type

Successful


 Auditing Entry for

Access

Apply onto

Windows Server 2003

Windows Server 2008/Windows Server 2012

Schema
  • Create All Child objects
  • Write All Properties
  • Delete All child objects
  • Delete
  • Modify Permissions
  • All Extended Rights

This object and all child objects

This object and all descendant objects

5. Auditing Entries for AD DNS objects

Steps to configure SACL- DNS Objects

  1. Open Run Prompt (Windows+R) and type adsiedit.msc and press Enter.

  2. Right Click on ADSI Edit and select Connect to..

  3. Under Connection Point -> Under Select or type a Distinguished Name or Naming Context,  depending on your Domain name and the partition where the zone is stored, type the Distinguished Name for the partition and click OK:

    1. If the zone is stored in default Domain partition, then type DC=adap, DC=internal,DC=com as the Distinguished Name. (This partition is generally loaded in Adsiedit by default).

    2. If the zone is stored in DomainDNSZones partition, then type DC=DomainDNSZones,DC=adap,DC=internal,DC=com as the Distinguished Name.

    3. If the zone is stored in ForestDNSZones partition, then type DC=ForestDNSZones,DC=adap,DC=internal,DC=com as the Distinguished Name.

  4. Double Click Default Naming Context on the Left Pane.

  5. Right Click the MicrosoftDNS Container and Select Properties > Security.

  6. Click on Advanced and Select the Auditing Tab.

  7. Follow the below steps.


Object to set SACL on

*Default Domain partition, DomainDNSZones partition, ForestDNSZones partition

Auditing entries to be applied on

Everyone

Type

Successful


 Auditing Entries for

Access

Apply onto

Windows Server 2003

Windows Server 2008/Windows Server 2012

 

 

DNS Zones
  • Create DNS Zones objects
  • Delete DNS Zones objects

This object and all child objects

This object and all descendant objects
  • Write All Properties
  • Delete
  • Modify Permissions

DNS Zone objects

Descendant DNS Zone objects

 

 

DNS Nodes
  • Create DNS Nodes objects
  • Delete DNS Nodes objects

This object and all child objects

This object and all descendant objects
  • Write All Properties
  • Delete
  • Modify Permissions

DNS Node objects

Descendant DNS Node objects

 Note: The settings have to be applied according to your domain name and the partition where the Zone is stored.

top
Copyright © 2014, ZOHO Corp. All Rights Reserved.
ManageEngine