 G'day viewers, my name is Oren Thomas. I'm a principal hybrid cloud advocate at Microsoft. In this video, you'll learn about the DS Access category of advanced security auditing policies for Windows Server. This advice is based on the documentation published on learn.microsoft.com at the link in this video's description. This video is part of a series of videos on advanced auditing and related events that will be published in the coming weeks. Some of these topics are a bit dry, but we attempted to make them so you'd be able to review information about advanced auditing in a more digestible format. As a Windows Server administrator, you should have a comprehensive understanding of advanced security auditing in Windows Server and Active Directory environments. The DS Access Security audit policy settings provide a detailed audit trail of attempts to access and modify objects in Active Directory domain services. These audit events are logged only on domain controllers. This category includes the following policies. Audit Detailed Directory Service Replication, Audit Directory Service Access, Audit Directory Service Changes, Audit Directory Service Replication. The Audit Detailed Directory Service Replication policy determines whether the operating system generates audit events that contain detailed tracking information about data that is replicated between domain controllers. This audit subcategory can be useful when you need to diagnose ADDS replication issues. Events in the security log related to this auditing item include Audit 928, an Active Directory replica source naming context was established. Audit 929, an Active Directory replica source naming context was removed. Audit 930, an Active Directory replica source naming context was modified. Audit 931, an Active Directory replica destination naming context was modified. Audit 934, attributes of an Active Directory object were replicated. Audit 935, replication failure begins. Audit 936, replication failure ends. Audit 937, a lingering object was removed from a replica. Audit Directory Service Access determines whether the operating system generates audit events when an Active Directory domain services object is accessed. Whilst it is generally better to track changes to Active Directory objects through the Audit Directory Service Changes policy, events reeled head to the Audit Directory Service Changes policy do not give you information about failed access attempts. For this reason, Microsoft recommends failure auditing with the Audit Directory Service Access so you can track failed access attempts to Active Directory objects. Events in the security log related to this auditing item include, Audit 662, an operation was performed on an object. Audit 661, a handle to an object was requested. The Audit Directory Service Changes policy determines whether the operating system generates audit events when changes are made to objects in Active Directory domain services. Auditing of Directory Service objects can provide information about the old and new properties of the objects that were changed. Audit events are generated only for objects with configured system access control lists, sackles, and only when they are accessed in a manner that matches their sackle settings. Some objects and properties do not cause audit events to be generated due to settings on the object class in the schema. Events in the security log related to this auditing item include, 5136, a directory service object was modified. 5137, a directory service object was created. 5138, a directory service object was undelete. 5139, a directory service object was moved. 5141, a directory service object was deleted. The Audit Directory Service Replication policy determines whether the operating system generates audit events when replication between two domain controllers begins and ends. Events in this subcategory typically have an informational purpose and it is difficult to detect any malicious activity using these events. Events generated from this policy are mainly used for troubleshooting Active Directory replication. Events in the security log related to this auditing item include, 4932, synchronization of a replica of an Active Directory naming context has begun. 4933, synchronization of a replica of an Active Directory naming context has ended. This video provided an introduction to Windows Server Advanced Security DS Access or DIT policies. The advice in this video is based on the documentation published on learn.microsoft.com at the link in this video's description. Increasing the security controls applied to Active Directory will improve your overall ADDS security posture that will not make your systems invulnerable. Security is always a matter of balancing what can be pragmatically accomplished by administrators in day-to-day operations with an assumed breach philosophy. I hope you found this video useful and informative. My name is Oren Thomas. You can find me at aka.ms slash oren. And if you've got any questions or feedback, drop a comment below.