Firstly, what are SACLs? SACLs identify the users and groups that you want to audit when they successfully access or fail to access an object and can be configured not only to include the user or group you are interested in, but also the type of access. The following screen grab shows the default auditing configured at the root of a new Windows Server 2012 Active Directory domain.
Default auditing on the root of a W2K12 Active Directory |
I wanted to configure the SACLs as a task sequence action during the System Center Configuration Manager OSD task sequence I have developed for my customer, so I turned to Windows PowerShell. After running my script, the auditing configured at the root of the domain looks like this:
Auditing on the root of the domain after the script has run |
This is the script I came up with:
#------------------------------------------------------ # | File : ADDSAuditSettings.ps1 # | # | Purpose : Configures extra auditing (SACLs) at for the # | new domain # | # | Usage : PowerShell.exe -FILE .\ADDSAuditSettings.ps1 #------------------------------------------------------ # | # | Author: JustAnotherTechnicalBlog # | Creation Date: 26 April 2013 # | # | # | Maintenance History # | ------------------- # | # | Version: 1.00 2013-04-26 Initial Version JustAnotherTechnicalBlog # | # | #------------------------------------------------------ # Clear the error variable #------------------------------------------------------ $error.clear() # Import the ActiveDirectory PowerShell Module if required #------------------------------------------------------ if (-not (Get-Module ActiveDirectory)) { Import-Module ActiveDirectory } # This fuction takes a schema GUID ID and a security # principal and enables a new SACL entry so deletions # of target object type by the specified security # principal will be audited #------------------------------------------------------ Function AuditDeletions { Param ( [Parameter(Mandatory=$true)] [system.guid]$SchemaIDGUID, [Security.Principal.NTAccount]$SecurityPrincipal ) # Get the DN for the current domain #------------------------------------------------------ $dn = (Get-ADDomain).DistinguishedName # Get the current ACLs for the root of the domain #------------------------------------------------------ $acl = Get-ACL -Audit -Path AD:\$dn # Build the new SACL rule. # This rule will enable auditing of succesful deletion # of our target object. The rule will be inherited # throughout the domain #------------------------------------------------------ $Rule = New-Object System.DirectoryServices.ActiveDirectoryAuditRule ` $SecurityPrincipal, ` "DeleteChild", ` "Success", ` $SchemaIDGUID, ` "All" # Add the new audit rule to the ACL we # opened earlier #------------------------------------------------------ $acl.AddAuditRule($Rule) # Commit the new audit rule #------------------------------------------------------ Set-ACL -Path AD:\$dn -AclObject $acl } # To work with AD objects we need the relevent schema # ID GUIDs. variables to hold these: #------------------------------------------------------ $ComputerSchemaIDGUID = "bf967a86-0de6-11d0-a285-00aa003049e2" $GroupSchemaIDGUID = "bf967a9c-0de6-11d0-a285-00aa003049e2" $UserSchemaIDGUID = "bf967aba-0de6-11d0-a285-00aa003049e2" # The AuditDeletions function above requires a security # principal. user/group we want to audit? #------------------------------------------------------ $who = "Everyone" # Put the AuditDeletions function to use .... #------------------------------------------------------ AuditDeletions $ComputerSchemaIDGUID $who AuditDeletions $GroupSchemaIDGUID $who AuditDeletions $UserSchemaIDGUID $who # Basic error handling #------------------------------------------------------ If ($error) { Write-Host "Audit setting configurations failed" Exit 1003 } Else { Write-Host "Audit setting configurations completed OK" }