When you have a large Active Directory environment with a team of people managing it that includes administrators and users with delegated permissions, you should be concerned. What if someone makes a change that isn't authorized or intended, such as deleting objects or containers? Windows event logs provide one way of monitoring changes to your environment, and Security log auditing can also help though it can generate a ton of information to sift thru (although both Event Viewer and security auditing have been significantly enhanced with Windows Server 2008).
Some third-party products may be able to help you sleep better at night. Here are two products from Quest Software that have been recommended to me by admins who use them on a daily basis to monitor their Active Directory environments:
- InTrust Plug-in for Active Directory works with their Intrust platform for security information/event management for compliance. This plug-in lets you track, store, alert, and report on the activity of your domain controllers and other aspects of Active Directory including Group Policy. Find out more about Quest Intrust platform here and their AD plug-in here.
- ChangeAuditor for Active Directory can automatically track changes to the configuration of your AD environment and issue alerts when accounts are deleted, DNS server configurations are changed, failed logins occur, and many other occurrences. Find out more about ChangeAuditor here and download a free trial.