Active Directory audit events are stored in Security event logs in domain controllers. The number of events generated generally depends on the number of audited objects and the SACLs set on the objects. Event logs grow in size very quickly over a period of time and require constant cleanup and backup. Event log data is not replicated across domain controllers and hence it is necessary to gather event log data from all the domain controllers in order to get all the audited events archived in one place. Enabling audit always produces some load on the domain controllers and hence auditing must be restricted to the most critical and essential objects in your Active Directory. However, auditing critical objects do give you the benefit of accurate and detailed data in real time (who accessed what and when).

If auditing is carefully done on select objects for Access as well as Changes, it can be really useful to track down security issues in your Active Directory. But, gathering this data from all the domain controllers will require additional tools. If you enable audit, you must be clear on what to audit keeping in mind the security needs of your organization. You must not use auditing as a means to track down all accesses and changes to your Active Directory. Otherwise, you will end up with plenty of noise in your Security event logs and the size of your logs grow very quickly. This also places a significant load on your Domain controllers thereby affecting performance. Restricting your log size may help, but will require constant back up of your logs to prevent loss of data.