Re: Audit domain admins

From: Steven L Umbach (n9rou_at_n0-spam-for-me-comcast.net)
Date: 11/23/04

• Next message: MSM: "RE: Event viewer"
• Previous message: Misaro: "Audit domain admins"
• In reply to: Misaro: "Audit domain admins"
• Next in thread: Roger Abell [MVP]: "Re: Audit domain admins"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 23 Nov 2004 21:27:05 GMT

I don't know of a way to audit everything. For instance I don't know of a
good way to audit who changed a Group Policy user configuration setting but
you can audit a lot. On Domain Controller Security Policy enable auditing of
account management, policy change, and system events which will record
events for when a user creates/manages users [including password reset] or
groups, when a user changes audit policy or user rights assignments, or when
certain system events occur. The events would be recorded in the security
logs of the domain controllers and you would have to check each domain
controller which can easily be done with the free Event Comb tool from
Microsoft. The link below contains much more detail including explanation of
common events recorded in the security log. --- Steve

http://www.microsoft.com/technet/security/guidance/secmod144.mspx

"Misaro" <anonymous@discussions.microsoft.com> wrote in message
news:8bbf01c4d19c$650cfd70$a601280a@phx.gbl...
> Hi,
>
> I need to audit or verify every change that any user with
> domain admin rights do in the Domain Controller.
>
> For instance: User Beth, she removed domain admin rights
> to another user who had them. For that reason the user had
> several problems working on a project. So the point is how
> may I know that she did it ? 'Cos at the same time she has
> full rights? How to audit that , or any software to check
> and keep a log about what changes or movements do all
> domain admins users !!
>
> Thanks any comments !!!

• Next message: MSM: "RE: Event viewer"
• Previous message: Misaro: "Audit domain admins"
• In reply to: Misaro: "Audit domain admins"
• Next in thread: Roger Abell [MVP]: "Re: Audit domain admins"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Default Domain Controller Policy being overwritten ... > rewritten to audit everything. ... It's almost like I change the policy on ... >> Microsoft MVP - Directory Services ... >>> errors relating to this in the event logs on either domain controller. ... (microsoft.public.windows.server.active_directory) Re: Audit Deleting of files ... To configure an audit policy setting for a domain controller, ... (microsoft.public.win2000.security) Re: security log filling/ audit policy being overwritten ... The audit configuration settings that you do not want enabled in Domain Controller ... Security Policy, may sure you set them to "no auditing" and not undefined. ... (microsoft.public.win2000.security) RE: Auditing file deletion ... regarding this in the security event log. ... Default Domain Controllers Policy. ... Click Computer Configuration, double-click Windows Settings, ... double-click Audit Policy. ... (microsoft.public.windows.server.sbs) Re: Auditing file deletion ... The problem is that hundreds of other Object Access events get logged, ... just the file and directory deletions. ... Default Domain Controllers Policy. ... double-click Audit Policy. ... (microsoft.public.windows.server.sbs)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint