Audit directory service access
Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy
Description
Determines whether to audit the event of a user accessing an Active Directory object that has its own system access control list (SACL) specified.
By default, this value is set to No auditing in the Default Domain Controller Group Policy object (GPO) and remains undefined for workstations and servers where it has no meaning.
If you define this policy setting, you can specify whether to audit successes, audit failures, or not to audit the event type at all. Success audits generate an audit entry when a user successfully accesses an Active Directory object that has a SACL specified. Failure audits generate an audit entry when a user unsuccessfully attempts to access an Active Directory object that has a SACL specified. You can select No auditing by defining the policy setting and unchecking Success and Failure.
.gif "Note Image")
Notes
You can set a SACL on an Active Directory object using the Security tab on the object's Properties page.
This is the same as Audit object access except it applies only to Active Directory objects rather than file system and registry objects.