Auditing for ADAM and AD LDS
Linda Taylor’s One stop Audit shop for ADAM and ADLDS is the go to reference for audit in ADAM and AD/LDS. When you read Linda’s post you will mention of the SeSecurityPrivilege right required to manipulate SACLs.
As Linda points out AD LDS native principals can not have windows rights so a windows principal is needed to adjust SACLs in AD LDS.
SeSecurityPrivilege is a bit confusing partly because it gets referred to by different names :
ACCESS_SYSTEM_SECURITY, SE_SECURITY_NAME, SeSecurityPrivilege, “Manage auditing and security log”
The bookmark I have for recalling these is here which largely covers the access to the SACL aspect of this right. One thing to note is that the access right is not valid in a DACL as DACLs do not control access to a SACL, which can be confusing – a confusion which lead to the transitory appearance of the right in the ACE editor in ldp.exe in one release.
I think the policy name “Manage auditing and security log” can be confusing. Here’s a case in point: if the SeSecurityPrivilege right is not available to the Exchange Enterprise Servers group problems arise . However if you look at the Exchange “Understanding and Troubleshooting Directory Access” doc., it states in respect of event 2080:
“DSAccess does not use a server if it does not have permission to read
the SACL on the nTSecurityDescriptor attribute for the configuration naming
which has nothing to do with event log management (something that the right is also required for), the snip from the guide above explains why the right is required in this case but not why that specific check is needed in domain controller selection by Exchange.