This Windows Server 2003 behavior corrects the behavior in Microsoft Windows 2000 Server. In Windows 2000, you can set the
Delete All Child Objects auditing entry without setting the
Delete auditing entry. However, when an object is deleted, the event log entry does not specify which object was deleted. The event log states only that an object had been deleted from a specific container.
In Windows Server 2003, if you set the
Delete auditing entry and the
Delete All Child Objects auditing entry, and then you delete an audit child object, the event log specifies which object has been deleted and the container that the object was deleted from.
For additional information about auditing Active Directory objects, click the following article number to view the article in the Microsoft Knowledge Base:
814595
HOW TO: Audit Active Directory objects in Windows Server 2003