Re: Alerting deletion of SAM
From: Dmitry Korolyov (d__k_at_nospamformorons.mail.ru)
Date: 07/13/03
- Next message: Steven Umbach [MVP]: "Re: Restricting access to removable media"
- Previous message: Steven Umbach [MVP]: "Re: Alerting deletion of SAM"
- In reply to: Steven Umbach [MVP]: "Re: Alerting deletion of SAM"
- Next in thread: Eric Fitzgerald [MSFT]: "Re: Alerting deletion of SAM"
- Reply: Eric Fitzgerald [MSFT]: "Re: Alerting deletion of SAM"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 13 Jul 2003 04:25:40 +0400
Will do. Don't think that auditing will work, though - since deletion will happen when no auditing is in effect, and newly created SAM will have no auditing set in SACL...
--
Dmitry Korolyov
d__k@nospamformorons.mail.ru
To e-mail me, remove "nospamformorons"
from the address.
"Steven Umbach [MVP]" <n9rou@comcast.com> wrote in message news:eD1Qa.44276$GL4.11835@rwcrnsc53...
Possibly if sam file has auditing enabled on it something will show up - not sure, or some other method to detect that creation date has changed . I will have to play around with that one. Let us know if you figure out a good way. --- Steve
"Dmitry Korolyov" <d__k@nospamformorons.mail.ru> wrote in message news:u$2y0oMSDHA.1552@TK2MSFTNGP10.phx.gbl...
Thanks for reply, Steve.
We are talking about a situation where sam deletion happens on a regular workstation (no services dependent on local accounts) while it is offline, using CIA commander disk or something like this. When system boots up and finds SAM missing, sure it could record this event somewhere, so I was wondering if there's a way to catch it and throw to centran management console (using MOM for example).
--
Dmitry Korolyov
d__k@nospamformorons.mail.ru
To e-mail me, remove "nospamformorons"
from the address.
"Steven Umbach [MVP]" <n9rou@comcast.com> wrote in message news:Jm0Qa.47303$H17.14513@sccrnsc02...
I do not believe that it will be recorded in Event Viewer - it can not be deleted/renamed while the operating system is running. It would become vary obvious when no one can access the computer since resetting the same deletes all non default accounts and groups. If any service relied on a created account to start, then it would fail and be recorded in the Event Viewer. --- Steve
"Dmitry Korolyov" <d__k@nospamformorons.mail.ru> wrote in message news:umpazUMSDHA.2852@tk2msftngp13.phx.gbl...
We all know about deleting SAM database to reset local admin account. After reboot SAM gets rebuilt and local admin password is blank.
So, is there a way to set the system to raise an alert (into event log, for example) when SAM database gets reset?
--
Dmitry Korolyov
d__k@nospamformorons.mail.ru
To e-mail me, remove "nospamformorons"
from the address.
- Next message: Steven Umbach [MVP]: "Re: Restricting access to removable media"
- Previous message: Steven Umbach [MVP]: "Re: Alerting deletion of SAM"
- In reply to: Steven Umbach [MVP]: "Re: Alerting deletion of SAM"
- Next in thread: Eric Fitzgerald [MSFT]: "Re: Alerting deletion of SAM"
- Reply: Eric Fitzgerald [MSFT]: "Re: Alerting deletion of SAM"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
Loading
