Tracking an object move/rename

I can get Account Management events in the security eventlog for certain specific operations that have been performed on users & groups, such as creating/deleting a user or group, adding/removing group members, and even changing certain naming attributes such as the SAM Account Name or the User Principle Name.

What I can't seem to readily track are actual object naming changes that involve a change to the RDN of the object itself. For example, in ADUC, you can hit F2 on a selected user or group and rename the object w/o making any changes to the SAM Account Name or the User Principle Name. However, there's no Account Management event generated for this type of change. I'm thinking that I may need to fall back on using the DirSync control in a search operation to track this sort of change. It would also be desirable to track object moves regardless of whether or not the object is renamed so that I could identify when a user or group moves between a container and an OU, or vice versa, or between 2 different OUs in the same domain, or even between domains in the same forest. Ideally, I'd like to capture the rename or move event, along with both the old & new FDN values for the object and the object's GUID, too.

Am I missing something obvious in terms of auditing settings for AD that could be enabled to cause these types of changes to be reported in an eventlog?


--
Chuck Chopp

ChuckChopp (at) rtfmcsi (dot) com http://www.rtfmcsi.com

RTFM Consulting Services Inc.     864 801 2795 voice & voicemail
103 Autumn Hill Road              864 801 2774 fax
Greer, SC  29651

"Racing to save lives"
The Leukemia & Lymphoma Society - Team in Training
http://www.active.com/donate/tntsc/tntscCChopp

Do not send me unsolicited commercial email.
.

Loading