Active Directory 2008 Audit Management Pack

Update 6/30/2010 – Uploaded RTM version which includes a detailed management pack guide.

This management pack contains more than 40 audit rules (+ views and a report)  designed to alert administrators to various changes in Windows 2008 Active Directory related to users, groups, group policies (GPOs), OUs and physical topology (sites, site links and subnets). Care has been taken to avoid the use of wildcards on description fields for better performance.

In fact, I made several design decisions to help scale and database space utilization.

• It contains a seed base class (called Windows 2008 Active Directory Audit Target) so you can limit agents that load these workflows
• Uses alert rules instead of event collection rules resulting in less space consumed in the operational and data warehouse data
• Contains separate alert views for User, Group, OU, GPO, and Physical Topology events
• Uses rules instead of monitors – audit events should NOT affect health of AD in my opinion! These are more for catching unauthorized changes.
• Only DELETE operations generate critical alerts…all other generate warning alert
• Currently contains a linked report for audit alerts. Will likely add custom reports to later versions.

NOTE: This is the official release, which includes a detailed management pack guide.