additional auditing can be enabled on the domain controllers by going to:
local security policy->advanced audit policy->account management

then enabling
audit user account management (for successes)
audit security group management (for successes)

these events will be listed in the windows security log

source:
http://whatevernetworks.com/?p=21

update 12/6/2013:
some other useful audit policies to enable on domain controllers are:
kerberos authentication services – success/failure
account lockout – success
logoff – success
logon – success/failure
special logon – success

these will have to be set on each domain controller unless they are set on the Default Domain Controllers Policy.

Comments are closed.