As a follow-on to my last post, I want to relate how to monitor for Active Directory schema changes.
First you need to put SACLs on the schema. Remember to replace any existing SACLs, disable propagaion of the SACL from the parent, and force propagation to the subtree.
Next, you'll need to enable DS Access auditing in the Default Domain Controllers Policy.
To find schema change events in the log, look for security event 565 or 566, with an object name that contains "CN=Schema".
It's that easy!
The definitive reference for how to set up auditing in Active Directory, written by my friend & co-worker Arun, is in the following white papers:
Windows 2000 paper: http://www.microsoft.com/windows2000/technologies/directory/AD/AD_SecurityPt1.asp
Windows 2003 paper: http://www.microsoft.com/windowsserver2003/techinfo/overview/adsecurity.mspx
The SACLs described in the 2003 white paper are the defaults for new AD installations (where your AD started on a Windows Server 2003 machine). They are much less noisy than the Windows 2000 SACLs, and are specifically targeted at recording Active Directory configuration changes.