AD DS Auditing

In Windows Server 2000 and Windows Server 2003, Active Directory audit logs can show you who made changes to what object attributes, but the events do not display the old and new values. For example, the audit log can show that Administrator modified Domain Admin group members attribute in the directory, but it cannot show what Administrator changed or what the attribute was after the change. With the new auditing feature came from Windows Server 2008, you can log events that show old and new values.

Before the new feature applied, security event log 4662 was generated.

Administrator changed the value of Domain Admins group, but you could not see the value before and after the change.

After the new AD DS auditing applied:
# auditpol /set /subcategory:"directory service changes" /success:enable

One more event log 5136 generated.

The log showed that it was a add operation and which member was added.

List of some AD DS auditing events:

5136	A directory service object was modified.
5137	A directory service object was created.
5138	A directory service object was undeleted.
5139	A directory service object was moved.
5141	A directory service object was deleted.