How to track organizational unit changes in AD (2024)

Table of Contents
Request 1-on-1 demo Thanks FAQs

  • With Native AD Auditing

  • With ADAudit Plus

  • ADAudit Plus simplifies OU management by offering you pre-configured OU management reports:

    1. Recently Created OUs

    2. Recently Deleted OUs

    3. Recently Modified OUs

    4. Recently Moved OUs

    5. OU History

    6. Extended Attribute Changes

  • Here's how you can use ADAudit Plus to retrieve OU management report in few easy steps.

    1. Select the Reports Tab and navigate to OU Management. Choose Report.

      See Also
      Create an organizational unit (OU) in Microsoft Entra Domain Services - Microsoft Entra IDWhat is organizational unit (OU)? | Definition from TechTargetChanging the default container/OU path for Active Directory Users or Computers objects

    2. Select the Domain.

    3. Customize the Period to desired time range. You can also define a custom period an save for quick reference.

    4. A detailed audit information report is generated for the selected period.

    5. Clicking on an event in the bar graph, filters the report view highlighting only the selected event.

    6. Advanced filter attributes help you locate the specific event that you're looking for.

  • ADAudit Plus gives you a range of filter attributes: Who Created, Modified Time, Message, Permission Changes, Old Value, New value, Time Deleted, Remarks, Who changed, Modified Attributes, Domain Controller, Creation Time, New OU Name, Who deleted, OU Name, New OU Distinguished Name.

  • You can apply the above filters in the reports to filter results accordingly.

Tracking OU audit changes in native AD

  • Step 1: Set up OU Audit

  • Launch the Server Manager in your Windows Server.

  • Under 'Tools' navigate to the 'Group Policy Management Console' (GPMC).

  • On the left pane right click the 'Domain Controllers' option. You can choose the 'create a new GPO and link it here option' or 'Link an existing GPO' option accordingly.

  • Right click the desired GPO and select 'Edit'. This opens up the 'Group Policy Management Editor'. Expand the node and select the 'Computer Configuration'.

  • You can then select 'Policies' and navigate to 'Windows Settings'. Under 'Windows Settings' select 'Security Settings' and then navigate to 'Advanced Audit Policy Configuration'.

  • In the 'Advanced Audit Policy Configuration' option select 'Audit Policies' and expand the node. Then select 'DS Access' and double click the 'Audit Directory Service Access' option.

  • Configure this policy for both 'Success' and 'Failure'.

  • Also, configure 'Success and 'Failure' events for 'Audit Directory Service Changes'.

  • Exit the Group Policy Management Editor and return to the GPMC.

  • Go to the 'Domain Controllers' node and select the newly modified GPO. Under the 'Scope' tab on the right pane, you will find the 'Security Filtering' section. Select 'Add'.

  • This opens up the 'Select User, Computer or Group' window. Type 'everyone' in this window to apply this GPO to all objects.

  • You can now return to the GPMC. The group policy also needs to be applied through out the forest. You can do this by, opening up 'Run' on your server and executing gpupdate /force. You should receive a notification saying the policy update was successful.

  • Step 2: Activate AD Auditing in ADSI Edit.

  • From your 'Server Manager' go to 'Tools' and select 'ADSI Edit'.

  • Right click 'ADSI Edit' node from the left pane and select 'Connect to' option. This pulls up the 'Connection Settings' window.

  • Select the 'Default Naming Context' option from the 'Select a well-known Naming Context' drop down list.

  • Click 'Okay' and return to the ADSI Edit window. Expand 'Default Naming Context' and select the associated 'DC' subnode. Right click this subnode and click 'Properties'.

  • In the 'Properties' window, go to the 'Security' tab and select 'Advanced'. After that select 'Auditing' tab and click 'Add'.

  • Click on 'Select a principle'. This will bring up a 'Select User, Computer or Group' Window. Type 'Everyone' in the textbox and verify it with 'Check Names'.

  • The principle in the 'Auditing Entry' window now shows 'Everyone'. In the 'Type' drop-down select 'All' to audit for both 'success' and 'failure' events.

  • In the 'Select' drop-down choose 'This object and all descendant object's. This allows the auditing of the OU's descendant objects. Select 'Full Control' in the 'Permissions' section.

  • Click 'Apply' and 'Okay' and close the window.

  • Step 3: Use Event Viewer to track events

  • In the 'Event Viewer' you can look for the following Event IDs under 'Security Logs'

  • Event ID 5141: A directory service object (organizational unit) was deleted.

  • Event ID 5137: A directory service object (organizational unit) was created.

  • Event ID 5139: A directory service object (organizational unit) was moved.

  • Event ID 5136: A directory service object (organizational unit) was modified.

  • Here's how you can view an event where an OU that was deleted.

  • In this window you can view who made changes to the OU and what changes were made, along with the timestamp of the event.

Does native auditing become a little too much?

Simplify file server auditing and reporting with ADAudit Plus.

Get Your Free Trial Fully functional 30-day trial

Related How-tos

  • How to monitor changes to files and folder permissions?
  • How to track folder and file creation and deletion in windows?
  • How to monitor file and folder access on a windows file server?
  • How to track who changed a file or a folder in windows?
  • How to audit shared folder access changes?
  • How to track changes in shared folder on file server?
  • How to audit failed access attempts to a shared folder?
  • How to detect who attempted to modify a file?

Request 1-on-1 demo

Thanks

One of our solution experts will get in touch with you shortly.

How to track organizational unit changes in AD (2024)

FAQs

How to track organizational unit changes in AD? ›

To track user account changes in Active Directory, open “Windows Event Viewer”, and go to “Windows Logs” ➔ “Security”. Use the “Filter Current Log” option in the right pane to find the relevant events. shows a user account was created. shows a user account was enabled.

Tell Me More
How to check OU on Active Directory? ›

Solution
  1. Open the Active Directory Users and Computers snap-in.
  2. If you need to change domains, right-click on “Active Directory Users and Computers” in the left pane, select Connect to Domain, enter the domain name, and click OK.
  3. In the left pane, browse to the OU you want to view.
  4. Click on it.

See More
How do I track changes in Active Directory? ›

To track user account changes in Active Directory, open “Windows Event Viewer”, and go to “Windows Logs” ➔ “Security”. Use the “Filter Current Log” option in the right pane to find the relevant events. shows a user account was created. shows a user account was enabled.

Tell Me More
How do I track group changes in Active Directory? ›

To track the changes in Active Directory, open “Windows Event Viewer,” go to “Windows logs” → “Security.” Use the “Filter Current Log” in the right pane to find relevant events. The following are some of the events related to group membership changes. Below screenshot indicates a Security Group is created.

Explore More
How to access Organizational Unit in Active Directory? ›

1. Open Active Directory Users and Computers (under Start, Programs, Administrative Tools, Active Directory Users and Computers). 2. In the management console, under the tree on the left hand side, navigate to the Organizational Unit you want to add a new OU.

Know More
How do I enable auditing on OU? ›

Navigate to the concerned domain/OU that contains the objects you want to audit. Right-click on the concerned GPO, and select Edit. The Group Policy Management Editor will open up. Go to Computer Configuration → Policies → Windows Settings → Security Settings → Local Policies → Audit Policies.

Find Out More
How to check server OU details? ›

You can identify an OU by its distinguished name or GUID. You can also set the parameter to an OU object variable, such as $<localOrganizationalunitObject> or pass an OU object through the pipeline to the Identity parameter. To search for and retrieve more than one OU, use the Filter or LDAPFilter parameters.

Learn More Now
Does Active Directory have an audit trail? ›

To audit user access to Active Directory objects, configure the Audit Directory Service Access event category in the audit policy setting. You must grant the Manage Auditing And Security Log user right to the computer where you want to either configure an audit policy setting or review an audit log.

Continue Reading
How do I pull a report from Active Directory? ›

The steps below will guide you to generate an All Computers report.
  1. Select the AD Reports tab.
  2. Select Computer Reports from the left pane to get the Computer Reports page.
  3. Select All Computers link under General Reports.
  4. Select the Domain and the associated OUs for Report Generation.
  5. Click Generate button.

Read The Full Story
How do I tell who made a change in Active Directory? ›

The only way you would know who made that change is if the security event logs on all of your domain controllers go back 2 months AND you have account management auditing enabled . So, open the event viewer on your DCs, click on the security event log and filter based on event id 4722.

Show Me More

How do I audit Sysvol changes? ›

Go to your SYSVOL folder which is usually found at C:\Windows\SYSVOL. Right-click on the SYSVOL folder and go to Properties. Go to Security -> Advanced to open the Advanced Security Settings for the SYSVOL folder. Click on the Auditing tab, and then click on Add.

Get More Info
How to check GPUpdate log? ›

The Group Policy Operational logs are displayed in the Operational object under the Applications and Services > Microsoft > Windows > GroupPolicy directory in Event Viewer.

Discover More Details
Are Active Directory changes instant? ›

On environments with only one Active Directory (AD) server (domain controller), a change usually takes up to ~5 minutes to get processed and sent to the cloud, barring any issues in regards around network latency, processing and also the size of the organization being synchronized.

See More
What is the difference between an Active Directory folder and an Organizational Unit? ›

Organizational units can delegate admin rights, but AD groups cannot. AD groups can manage permissions, while organizational units cannot. AD groups possess their own security identifier (SID), whereas organizational units do not.

Find Out More
What is the difference between OU and group? ›

The difference between an OU and a group is that OUs can contain different kinds of objects rather than being limited to accounts or groups, whereas groups can only contain accounts and other groups.

View More
What is the difference between OU and domain in Active Directory? ›

An OU is a container within a Microsoft Windows Active Directory (AD) domain that can hold users, groups and computers. It is the smallest unit to which an administrator can assign Group Policy settings or account permissions.

View Details
What is the default OU in Active Directory? ›

The only default OU in the AD environment is the Domain Controllers OU. All other folders in the tree are containers. Containers can also contain objects. The Computers and Users containers are good examples of that.

View More
How to see who created an OU in Active Directory? ›

How to Detect Who Created a User Account in Active Directory
  1. Run gpmc. ...
  2. Open ADSI Edit → Connect to Default naming context → right click "DC=domain name" → Properties → Security (Tab) → Advanced → Auditing (Tab) → Click "Add" → Choose the following settings:

See More
What is an OU in LDAP? ›

The LDAP objects used for authentication are as follows: Organizational Unit (OU): objectClass organizationalUnit (OU) An Organizational Unit object is similar to a Window directory. For LDAP, it typically holds either Group objects or User objects. Group (CN): objectClass group (CN) [also posixGroup]

Show Me More
Top Articles
23 Modern Hindu Baby Boy Names that start with P
Easy Recipe for Homemade Playdough
A full list of all stores open and closed on July 4th this year
Headed to Costco on July 4th? Read this first
Lycoming County Docket Sheets
Tamriel Vault - Character Build Ideas
Pso2 Ngs Cosmetics List
Cozen O&#39;Connor hiring Long-Term Care Associate in Philadelphia, Pennsylvania, United States | LinkedIn
推送:E-16-DIGOUT-PLUS省市县区域/直送2024全+境+派+送 - 供应商网
Front seat & seat track for Toyota Passo KGC30 - Genuine parts
The Best Smartwatches For Kids, According To Parent And Kid Testers
50+ Indoor Games for Kids: All Ages
Latest Posts
Homemade Pierogi Recipe (+video)
Braised White Beans and Greens With Parmesan Recipe
Article information

Author: Frankie Dare

Last Updated:

Views: 6349

Rating: 4.2 / 5 (53 voted)

Reviews: 84% of readers found this page helpful

Author information

Name: Frankie Dare

Birthday: 2000-01-27

Address: Suite 313 45115 Caridad Freeway, Port Barabaraville, MS 66713

Phone: +3769542039359

Job: Sales Manager

Hobby: Baton twirling, Stand-up comedy, Leather crafting, Rugby, tabletop games, Jigsaw puzzles, Air sports

Introduction: My name is Frankie Dare, I am a funny, beautiful, proud, fair, pleasant, cheerful, enthusiastic person who loves writing and wants to share my knowledge and understanding with you.